pf external user access to specific server

[gpatrick]

I have a private LAN and a DMZ setup. My rules work for what I need and I'm not a pf expert by any means, but what rules do I need if I want an external user to be able to login to a server in my LAN?

For example, a user on the outside would login to 192.168.1.100 which is a Unix machine on my private LAN using ssh. I'd assume that is possible, but I have no idea how to implement it.

 

[SirDice]

You will need to "punch" a hole in your firewall and redirect the traffic to the internal machine. You will need to use PF's rdr to redirect the traffic. See pf.conf(5).

The basic rule looks like this:

rdr on $ext_if proto tcp from any to ($ext_if) port 22 -> $my_internal_server port 22

 

[SirDice]

Keep in mind with the rules that NAT (and rdr) happen before any rules. So you'll need to filter on the NAT'ed addresses. This is much more readable:

my_internal_server="192.168.1.100"

block return in on $ext_if proto tcp all
pass in log on $ext_if proto tcp from any to $my_internal_server port 22

 

[kpa]

Do not use the synproxy option unless you really know what it's used for and when it can be used for the purpose it exists. Basically you don't turn it on until you detect you're under a SYN flood attack.