January 2009
We have a firewall running OpenBSD an PF. An outside host must have access to a machine that is inside our DMZ.
wan_if=sis3 intranet_if=sis4 sshbox=10.0.24.16 hosts_allowed_ssh_to_sshbox=" { 132.179.15.38 } " # In the RDR/NAT section: rdr log on $wan_if proto tcp from $hosts_allowed_ssh_to_sshbox to $wan_if:0 port ssh -> $sshbox # In the filtering section: pass in on $wan_if inet proto tcp from $hosts_allowed_ssh_to_sshbox to $sshbox port ssh pass out on $intranet_if inet proto tcp from $hosts_allowed_ssh_to_sshbox to $sshbox port ssh
Redirecting other hosts than those in $hosts_allowed_ssh_to_sshbox
to another inside machine is trivial.
Just add another such section as the above with different variable names and values.
Redirecting one outside machine to multiple inside hosts could be done by having the outside machine connect to nonstandard ports on the firewall, or by more intricate forms of port knocking.
I don't need that at them moment, though.