how to simple redirect ssh tcp port with pf.conf

[batence]

Can anybody tell me: how to simply redirect SSH tcp port with pf.conf

 

[johnblue]

I think what you are asking about was discussed here:

http://forums.freebsd.org/showthread.php?t=12933

 

[johnblue]

This one is pretty good too:

http://forums.freebsd.org/showpost.php?p=199800&postcount=7

 

[batence]

### BASIC
ext_if="fxp0"
int_if="rtk0"
router="192.168.0.2"

### SHARE INTERNET
nat on fxp0 from rtk0:network to any -> (fxp0)

### REDIRECT SSH
#rdr log on $ext_if proto tcp from any to $ext_if port 4550 -> $router
#pass in  on $ext_if inet proto tcp from any to $router port 4550
#pass out on $int_if inet proto tcp from any to $router port 4550
#rdr on $ext_if proto tcp from any to any port 4550 -> $router
#rdr on $ext_if proto udp/tcp from any to any port 4550 -> $router
rdr on $ext_if proto {udp, tcp} from any to any port 4550 -> $router
pass in on $ext_if proto {udp, tcp} from any to any port 4550 keep state

Doesnt work anyway, I have inside a openbsd box with 4550 ssh port

 

[johnblue]

Doesnt work anyway, I have inside a openbsd box with 4550 ssh port

Does your NAT work in general? Do you have this in your /etc/rc.conf:

gateway_enable="YES"

 

[batence]

NAT worked well

 

[SirDice]

rdr on $ext_if proto tcp from any to any port 22 -> $other_machine port 22

 

[J65nko]

You can make your life easier if you use the tag keyword:

ext_if = re0
int_if = lo0 # dummy because this is a single NIC box

other_machine = 10.1.2.3

# --- redirect and tag
rdr on $ext_if proto tcp from any to any port 22 tag SSH -> $other_machine port 22


# --- EXTERNAL INTERFACE incoming
# rdr does not automagically pass the traffic
pass in quick on $ext_if tagged SSH


# --- INTERNAL INTERFACE outgoing
pass out quick on $int_if tagged SSH

The rules generated by a test parse:

[cmd=#] pfctl -vvnf rdr.test[/cmd]

ext_if = "re0"
int_if = "lo0"
other_machine = "10.1.2.3"

@0 rdr on re0 inet proto tcp from any to any port = ssh tag SSH -> 10.1.2.3 port 22
@0 pass in quick on re0 all flags S/SA keep state tagged SSH
@1 pass out quick on lo0 all flags S/SA keep state tagged SSH

If you also want to redirect traffic to an internal webserver you can use a catch-all tag e.g. TCP_OK or APPROVED or whatever tag you want to use.

rdr on $ext_if proto tcp from any to any port 22 tag APPROVED -> $other_machine port 22
rdr on $ext_if proto tcp from any to any port 80 tag APPROVED  -> $webserver_1 port 80

pass in quick on $ext_if tagged APPROVED
pass out quick on $int_if tagged APPROVED

This reduces the number of rules and thus complexity.