Solved [Solved] PF setup for RDP tunneling over SSH

D

drchrist68

Hello,

Hopefully someone can point me in the right direction. I've searched the InterWebs but haven't found a solution to this specific issue. I use FreeBSD on a laptop, from which I tunnel RDP over SSH to access a Windows box on my office network. I first do: ssh user@remotelinuxhost -L:3389:windowsbox:3389, then RDP to 127.0.0.1 to make the RDP connection. This works great as long as I don't have a firewall running locally on the FreeBSD laptop, but if I start pf then I cannot make the connection. How do I open the firewall to allow bi-directional RDP? I appreciate any help, I'm having a bit of a brain freeze. :)

Thanks!
~D
 
Re: PF setup for RDP tunneling over SSH

It would help if you put the pf.conf here, unless you want a reply like "Put pass out quick or set skip on $ext_if in your pf.conf".
 
Re: PF setup for RDP tunneling over SSH

I apologize, since I am not on the laptop currently, but below is the latest incarnation of pf.conf as I recall entering it last night:

Code: 
ext_if="wlan0"

tcp_services="{ ssh, rdp }"

# filter rules
block all

# Accept incoming
pass in log quick on $ext_if proto tcp from any to $ext_if port $tcp_services keep state

If I enable the firewall with the above rule, SSH works fine but the RDP connection cannot be made. I did make sure that RDP is defined in /etc/services. I'm sure I'm missing something obvious.
 
Re: PF setup for RDP tunneling over SSH

Move the log directive from the pass to the block rule, and run tcpdump -s 0 -plni pflog0 to see blocked packets. You do need
Code: 
pflog_enable="YES"
in /etc/rc.conf.

Before you do that: note that almost every PF setup needs a
Code: 
set skip on lo0
at the very least. I don't know how RDP behaves 'internally', but if it uses localhost in any way, you're not allowing it now.
 
Re: PF setup for RDP tunneling over SSH

Thank you for the reply. I do have:
Code: 
pflog_enable="YES"
in /etc/rc.conf.

I will try the other changes, run tcpdump -s 0 -plni pflog0 and report back tonight. I'm confident it will work.
 
Re: PF setup for RDP tunneling over SSH

It really doesn't matter what you tunnel over SSH, it will always be an outgoing connection to port 22 only. You don't need an incoming connection to port 22 for it to work. But you do need to be able to connect to/from localhost in order to connect to the tunnel end point.

This should be enough:
Code: 
set skip on lo0

block log all
pass out on $ext_if proto tcp from any to any port 22
 
Re: PF setup for RDP tunneling over SSH

Oh, I missed the entire tunneling issue. Yes, in that case, RDP is not necessary in pf.conf, but the RDP session running through the tunnel talks to an RDP session running on localhost on the other side (see manual entries for ssh -L, ssh -R). And like I said: you don't allow that now.
 
Re: PF setup for RDP tunneling over SSH

This makes perfect sense. I should have considered the loopback, actually, but as I said my brain stopped working. I think the most important part is
Code: 
set skip on lo0
and then clean up and simplify the pf.conf as demonstrated. Thank you both.
 
You must log in or register to reply here.
Back
Top