redirecting ssh through PF

Jurjen Bokma

January 2009

We have a firewall running OpenBSD an PF. An outside host must have access to a machine that is inside our DMZ.

hosts_allowed_ssh_to_sshbox=" { } "

# In the RDR/NAT section:
rdr log on $wan_if proto tcp from $hosts_allowed_ssh_to_sshbox to $wan_if:0 port ssh -> $sshbox

# In the filtering section:
pass in  on $wan_if      inet proto tcp from $hosts_allowed_ssh_to_sshbox to $sshbox port ssh
pass out on $intranet_if inet proto tcp from $hosts_allowed_ssh_to_sshbox to $sshbox port ssh

Redirecting other hosts than those in $hosts_allowed_ssh_to_sshbox to another inside machine is trivial. Just add another such section as the above with different variable names and values. Redirecting one outside machine to multiple inside hosts could be done by having the outside machine connect to nonstandard ports on the firewall, or by more intricate forms of port knocking. I don't need that at them moment, though.