No SSH on External Interfaces After pf.conf Rewrite for Load Balancing Outgoing Traffic

Fri, 04 Jun 2010 09:31:42 -0700 

Hey guys:

Today I have used outbound load balancing in pf for the first time for
a client with 2 Internet connections.  In rewriting the ruleset I've
had no problems with connectivity with the exception of getting an SSH
connection to the firewall to work on either of the two external
interfaces.  (internal works fine)

If I look at the pflog, I can see the connection being passed in (as
well as two retries), but I never see anything being passed back out,
nor blocked.  The three tries get passed in from the client and then
the client times out.

What am I missing?

pf.conf
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

EXT_IF_1="em0"
EXT_GATE_1="###.###.###.###"

EXT_IF_2="em1"
EXT_GATE_2="###.###.###.###"

INT_IF="re0"
NETWORK="10.0.0.0/24"

icmp_types="echoreq"

set block-policy return
set loginterface none

set skip on lo

match out on $EXT_IF_1 from $NETWORK nat-to ($EXT_IF_1)
match out on $EXT_IF_2 from $NETWORK nat-to ($EXT_IF_2)

block log all

match in all scrub (no-df max-mss 1440)

antispoof quick for { lo $INT_IF }

pass log quick on $EXT_IF_1 inet proto tcp from any to ($EXT_IF_1)
port ssh keep state
pass log quick on $EXT_IF_2 inet proto tcp from any to ($EXT_IF_2)
port ssh keep state

anchor "ftp-proxy/*"
pass in on $EXT_IF_1 inet proto tcp to port ftp rdr-to 127.0.0.1 port 21
pass in on $EXT_IF_2 inet proto tcp to port ftp rdr-to 127.0.0.1 port 21
pass in on $INT_IF proto tcp to port ftp rdr-to 127.0.0.1 port 8021

pass out on $INT_IF to $NETWORK

pass in quick on $INT_IF from $NETWORK to $INT_IF

pass in inet proto icmp all icmp-type $icmp_types

pass in on $INT_IF from $NETWORK route-to {($EXT_IF_1 $EXT_GATE_1),
($EXT_IF_2 $EXT_GATE_2)} round-robin

pass out log on $EXT_IF_1
pass out log on $EXT_IF_2

pass out log on $EXT_IF_1 from $EXT_IF_2 route-to ($EXT_IF_2 $EXT_GATE_2)
pass out log on $EXT_IF_2 from $EXT_IF_1 route-to ($EXT_IF_1 $EXT_GATE_1)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Reply via email to