1

I'm using pf on FreeBSD 9. sshd is up and listening on loopback only (127.0.0.1).

Trying to use redirect rule to allow network hosts to connect via ssh.

set block-policy drop
set skip on lo0
scrub in

no rdr on lo0 all
rdr on fxp0 inet proto tcp from any to (fxp0) port = ssh -> 127.0.0.1

block drop in log quick on ! lo inet from 127.0.0.0/8 to any
block drop log on fxp0 all
pass in quick on fxp0 inet proto tcp from any to 127.0.0.1 port ssh
pass out quick on fxp0 all keep state

This does not work for some reason and I see no related messages in pflog.

Tried also with rdr pass with same result.

I see this status from pfctl -ss:

all tcp 127.0.0.1:22 (192.168.0.40:22) <- 192.168.0.252:65105   CLOSED:SYN_SENT

When I turn logging for rdr, I see this:

rdr in on fxp0: 192.168.0.252.65105 > 127.0.0.1.22: Flags [S], seq 1927917349, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS[|tcp]>

What is wrong with my setup?

How to get more log output?

taro
  • 193
  • 1
  • 8
  • I'm voting to close this question as off-topic because it's three years old and lacks sufficient information to find an answer – Jenny D Dec 25 '17 at 10:31

1 Answers1

1

Have you checked your sshd listening addresses?

$ netstat -a | grep ssh
tcp4       0      0 *.ssh                  *.*                    LISTEN
tcp6       0      0 *.ssh                  *.*                    LISTEN

The first * means that sshd is listening on every local addresses on the machine including 127.0.0.1.

SSHD_CONFIG(5)

 ListenAddress
         Specifies the local addresses sshd(8) should listen on.  The fol-
         lowing forms may be used:

               ListenAddress host|IPv4_addr|IPv6_addr
               ListenAddress host|IPv4_addr:port
               ListenAddress [host|IPv6_addr]:port

         If port is not specified, sshd will listen on the address and all
         prior Port options specified.  The default is to listen on all
         local addresses.  Multiple ListenAddress options are permitted.
         Additionally, any Port options must precede this option for non-
         port qualified addresses.

If sshd is not listening on address 127.0.0.1, it is shown as CLOSED:SYN_SENT in pfctl -ss output.

netstat output after making sshd listen on 192.168.10.114 only.

$ netstat -a | grep ssh
tcp4       0      0 192.168.10.114.ssh     *.*                    LISTEN

While trying to ssh to this machine, pfctl -ss output is like below.

$ pfctl -ss
all tcp 127.0.0.1:22 (192.168.10.114:22) <- 192.168.10.107:50701       CLOSED:SYN_SENT

ssh connection is redirected to 127.0.0.1 by rdr rule - SYN packet is sent to 127.0.0.1:tcp/22 (SYN_SENT)

However, 127.0.0.1:tcp/22 is not open, it is shown as CLOSED.

Minsuk Song
  • 878
  • 5
  • 6