Does including proto tcp help?

map wm3 dynamic proto tcp $wm3_ip port 2222 <- $wm3_ip port 22

I'm doing something very similar but using a different target IP.

David

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

try this:

map $wm3_ip dynamic $wm3_ip port 2222 <- $wm3_ip port 22

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I did - to no avail. The resulting rule looks exactly like before (and perfectly fine to me):

map wm7 dynamic 51.77.xxx.yyy port 2222 <- any pass family inet4 proto { tcp, udp } to 51.77.xxx.yyy port 22 # id="1"

--
|Mirko Thiesen "We're with you all the way, mostly"|
|http://www.BIHealth.org/ Phone: +49 30 450-570763|
| B e r l i n I n s t i t u t e o f H e a l t h |

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

[...]
It makes no difference, unfortunately. This is the resulting rule with "proto tcp" specified:

map wm7 dynamic 51.77.xxx.yyy port 2222 <- any pass family inet4 proto tcp to 51.77.xxx.yyy port 22 # id="1"

And without it looks like that:

map wm7 dynamic 51.77.xxx.yyy port 2222 <- any pass family inet4 proto { tcp, udp } to 51.77.xxx.yyy port 22 # id="1"

(Don't worry about the wm7 instead of wm3 - I just switched around network cards.)

To me, the latter looks *exactly* like what I want. However, it's just not working. Is there maybe a general NPF configuration option I could be missing? Or even a kernel config option?

FWIW, this is my active ruleset:

(21:51:42) ***@Roanoke:/etc # npfctl show
# filtering: active
# config: loaded

table <blacklist> type hash
table <suspicious> type tree
table <whitelist> type hash

procedure "norm"
procedure "log"

map wm7 dynamic 51.77.xxx.yyy port 2222 <- any pass family inet4 proto { tcp, udp } to 51.77.xxx.yyy port 22 # id="1"

group # id="1"
pass final on lo0 all # id="2"
ruleset "blacklistd-ext" all # id="3"
block in final from <blacklist> # id="4"
block in final from <suspicious> # id="5"
pass stateful in final flags S/FSRA from <whitelist> apply "log" # id="6"
pass out final all # id="7"
pass in final all # id="8"

As you can see, it's pretty much stripped down. I got rid of all other rules in order to debug this particular issue.

(22:03:26) ***@Roanoke:/etc # npfctl table "blacklist" list
177.66.200.38
(22:03:35) ***@Roanoke:/etc # npfctl table "suspicious" list
(22:03:41) ***@Roanoke:/etc # npfctl table "whitelist" list

The one IP address in the "blacklist" table is not the one I'm connecting from.
Yes, all the examples I could dig up do indeed forward incoming connections not just to a different port but also to a different IP address.

Mirko
--
|Mirko Thiesen "We're with you all the way, mostly"|
|http://www.BIHealth.org/ Phone: +49 30 450-570763|
| B e r l i n I n s t i t u t e o f H e a l t h |

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

- Which NetBSD version are you using?

- Can you please first try with no filtering rules i.e.:

group default {
pass final all
}

- What do you see with tcpdump?