Hi guys,
Could someone please help me to get the ssh redirection to work.
What I want is for all ssh connection on port 1914 to be redirected to my $MailJail
In my code bellow I added
but all I get is a Operation timed out error message
Could someone please help me to get the ssh redirection to work.
What I want is for all ssh connection on port 1914 to be redirected to my $MailJail
In my code bellow I added
Code:
rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port 1914 -> $MailJail
pass in quick log on $ExtIf proto tcp from <TRUSTED> to $ExtIf port 1914 $TcpState $SshSTO
Code:
################ Macros ###################################
### Interfaces ###
ExtIf ="xn0"
JailIf ="lo1"
### Hosts ###
# OpenSMTPD = "10.10.10.4"
WebProxy = "10.8.20.11"
MailJail = "10.8.20.15"
### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/SA synproxy state"
#TcpState ="flags S/SA synproxy state"
TcpState ="flags S/SA modulate state"
UdpState ="keep state"
### Stateful Tracking Options (STO) ###
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
WebSTO ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
### Tables ###
#table <spamd-white>
#table <BLACKLIST> persist persist "/etc/pf-files/blacklist.zone"
table <TRUSTED> persist file "/etc/pf-files/trusted.pftable"
table <BLOCKEDZONE> persist file "/etc/pf-files/blockedzones.pftable"
table <BLOCKTEMP> counters file "/etc/pf-files/fail2ban.pftable"
table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
169.254.0.0/16, 192.0.2.0/24, \
192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}
################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
### Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}
################ Queueing ####################################################
# no quality of service (QOS) since QoS controls is monitored and rate shaped by the VPS data centre.
################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
#scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ExtIf all reassemble tcp fragment reassemble
################ Translation #################################################
### NAT and Redirection rules are first match
# NAT all jail traffic
nat on $ExtIf from $JailIf:network to any -> ($ExtIf)
#nat on $ExtIf from $IntIf:network to any -> ($ExtIf)
# Hiawatha web proxy server
rdr on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port https -> $WebProxy
rdr on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port http -> $WebProxy
# OpenSMTPD with Spamd
#rdr on $ExtIf inet proto tcp from !<spamd-white> to ($ExtIf) port smtp -> 10.10.10.200 port spamd
#rdr on $ExtIf inet proto tcp from <spamd-white> to ($ExtIf) port smtp -> 10.10.10.250
# Openssh
#rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port ssh -> lo0
rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port 1914 -> $MailJail
# Unbound DNS for LAN machines
#rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0
# Ntpd time server for the LAN
#rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0
# Anchors
#nat-anchor "openvpn"
#rdr-anchor "openvpn"
# DENY rogue redirection
#no rdr
################ Filtering ###################################################
# Rules are best (closest) match. Rules are optimized so external
# interface parsing is first followed by the internal interface.
### $ExtIf block abusive hosts in temp and blacklist tables
#block in quick on $ExtIf from <BLACKLIST> to any
block drop in log quick from { <BLOCKNETS> urpf-failed no-route } to any
block out quick on $ExtIf from any to { <BLOCKNETS> no-route }
block drop in log quick on $ExtIf proto udp from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh
block drop in log quick on $ExtIf proto tcp from <BLOCKEDZONE> to any port { 22 80 443 }
### $ExtIf default block with drop
block drop in log on $ExtIf
antispoof quick log for $ExtIf inet
block quick inet6
### $ExtIf inbound
pass in log on $ExtIf inet proto tcp from !($ExtIf) to $WebProxy port https $TcpState $WebSTO
pass in log on $ExtIf inet proto tcp from !($ExtIf) to $WebProxy port www $TcpState $WebSTO
pass in quick log on $ExtIf proto tcp from <TRUSTED> to $ExtIf port ssh $TcpState $SshSTO
pass in quick log on $ExtIf proto tcp from <TRUSTED> to $ExtIf port 1914 $TcpState $SshSTO
### $ExtIf outbound
pass out log on $ExtIf inet proto tcp from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
pass out log on $ExtIf inet proto udp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO