On Mon, Dec 16, 2019 at 02:13:50PM +0100, Alexander Bluhm wrote: > On Sun, Dec 15, 2019 at 03:17:26PM +0100, Alexandr Nedvedicky wrote: > > Hello Daniel, > > > > thanks for reporting back. > > > > </snip> > > > Should the rdr-to rule still work? I fixed it with using the "Port foo" > > > directive in my sshd config (and a simple "pass in to port foo") in the > > > meantime. > > > > My earlier indeed change omits your usecase. The rdr rule should still > > work. Patch below should fix it. The idea is to check whether the > > packet got NATed to loopback. We let packet in, if it got changed > > by PF. > > > > The IPv6 part does not need similar fix. According to quick check > > of existing code it works. > > > > OK ? > > Redirect to localhost is a violation of the strict host model. > Why not encourage people to use divert-to for local delivery?
I think this is a "do as I want" kind of thing. If I use pf(4) to redirect traffic to a different address then I think our version of strict host model should step back and accept the connection. > Daniel, is your sshd bound to a * or to a 127.0.0.1 socket? If it > is a * socket, does it work to redirect to the IP address of the > incoming interface? > -- :wq Claudio
