Solved How to ssh redirect in PF

[fred974]

Hi guys,

Could someone please help me to get the ssh redirection to work.
What I want is for all ssh connection on port 1914 to be redirected to my $MailJail

In my code bellow I added

rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port 1914 -> $MailJail
pass in quick log on $ExtIf proto tcp from <TRUSTED>  to $ExtIf  port 1914  $TcpState $SshSTO

but all I get is a Operation timed out error message

################ Macros ###################################
### Interfaces ###
ExtIf ="xn0"
JailIf ="lo1"

### Hosts ###
# OpenSMTPD  = "10.10.10.4"
WebProxy    = "10.8.20.11"
MailJail = "10.8.20.15"

### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/SA synproxy state"
#TcpState ="flags S/SA synproxy state"
TcpState ="flags S/SA modulate state"
UdpState ="keep state"

### Stateful Tracking Options (STO) ###
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

### Tables ###
#table <spamd-white>
#table <BLACKLIST> persist persist "/etc/pf-files/blacklist.zone"
table <TRUSTED> persist file "/etc/pf-files/trusted.pftable"
table <BLOCKEDZONE> persist file "/etc/pf-files/blockedzones.pftable"
table <BLOCKTEMP> counters file "/etc/pf-files/fail2ban.pftable"
table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                    169.254.0.0/16, 192.0.2.0/24, \
                    192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
                    169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}

################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none

### Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}

################ Queueing ####################################################
# no quality of service (QOS) since QoS controls is monitored and rate shaped by the VPS data centre.

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
#scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub     log on $ExtIf all reassemble tcp fragment reassemble

################ Translation #################################################
### NAT and Redirection rules are first match

# NAT all jail traffic
nat on $ExtIf from $JailIf:network  to any -> ($ExtIf)
#nat on $ExtIf from $IntIf:network   to any -> ($ExtIf)

# Hiawatha web proxy server
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port https -> $WebProxy
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port http  -> $WebProxy

# OpenSMTPD with Spamd
#rdr on $ExtIf inet proto tcp from !<spamd-white> to ($ExtIf) port smtp -> 10.10.10.200 port spamd
#rdr on $ExtIf inet proto tcp from  <spamd-white> to ($ExtIf) port smtp -> 10.10.10.250

# Openssh
#rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port ssh -> lo0
rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port 1914 -> $MailJail

# Unbound DNS for LAN machines
#rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0

# Ntpd time server for the LAN
#rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0

# Anchors
#nat-anchor "openvpn"
#rdr-anchor "openvpn"

# DENY rogue redirection
#no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Rules are optimized so external
# interface parsing is first followed by the internal interface.

### $ExtIf block abusive hosts in temp and blacklist tables
#block in quick on $ExtIf from                     <BLACKLIST> to any
block drop in log quick from { <BLOCKNETS> urpf-failed no-route } to any
block out quick on $ExtIf from any to { <BLOCKNETS> no-route }
block drop in log quick on $ExtIf proto udp from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh
block drop in log quick on $ExtIf proto tcp from <BLOCKEDZONE> to any port { 22 80 443 }

### $ExtIf default block with drop
block drop in log on $ExtIf
antispoof quick log for $ExtIf inet
block quick inet6

### $ExtIf inbound
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxy port https $TcpState $WebSTO
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxy port www   $TcpState $WebSTO
pass in quick log on $ExtIf proto tcp from <TRUSTED>      to $ExtIf    port ssh   $TcpState $SshSTO
pass in quick log on $ExtIf proto tcp from <TRUSTED>      to $ExtIf    port 1914  $TcpState $SshSTO

### $ExtIf outbound
pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO

 

[mickey]

What I want is for all ssh connection on port 1914 to be redirected to my $MailJail

In my code bellow I added

rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port 1914 -> $MailJail
pass in quick log on $ExtIf proto tcp from <TRUSTED>  to $ExtIf  port 1914  $TcpState $SshSTO

but all I get is a Operation timed out error message

The pass rule sees the traffic after redirection, so you would need to change it like so:

pass in quick log on $ExtIf proto tcp from <TRUSTED>  to $MailJail  port 1914  $TcpState $SshSTO

And assuming the sshd on your mail jail runs on port 22, you would want to redirect to port 22 also:

rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port 1914 -> $MailJail port 22
pass in quick log on $ExtIf proto tcp from <TRUSTED>  to $MailJail  port 22 $TcpState $SshSTO

 

[fred974]

Thank you very much mickey
Am I right to think that if the ssh port on the mailjail is 1914, I don't need

pass in quick log on $ExtIf proto tcp from <TRUSTED> to $MailJail port 22 $TcpState $SshSTO

 

[mickey]

When the sshd on your mail jail is listening on port 1914, just go with:

rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port 1914 -> $MailJail port 1914
pass in quick log on $ExtIf proto tcp from <TRUSTED> to $MailJail port 1914 $TcpState $SshSTO

 

[kpa]

Thank you very much mickey
Am I right to think that if the ssh port on the mailjail is 1914, I don't need

pass in quick log on $ExtIf proto tcp from <TRUSTED> to $MailJail port 22 $TcpState $SshSTO

That means you're making changes to the configuration of sshd(8) that is running in the jail complicating the setup unnecessarily. I would instead go with little bit more complicated PF rules because the /etc/ssh/sshd_config is among the files that you need to merge with mergemaster(8) on updates (or whatever freebsd-update(8) uses). The PF ruleset has no pre-installed file as /etc/pf.conf and you don't have to worry about it on updates.