Система FreeBSD 6.0, фильтр PF
Из локалки по ssh захожу свободно, но из внешнего мира никак, все кто сканил порты говорят что закрыт 22 порт. Вот конфиги:

/etc/ssh/sshd_config:
Port 22
Protocol 2
ListenAddress 0.0.0.0
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel DEBUG
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RhostsRSAAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
TCPKeepAlive yes
UseLogin yes
UseDNS no
UsePAM yes
MaxStartups 5:50:10

/etc/pf.conf
ext_if = "an0"
int_if = "rl0"

tcp_in = "25, 80, 110, 113, 443, 465, 995"
icmp_types="echoreq"

tcp_rdr = "1494, 3389"
host_rdr = "192.168.1.10"

# options
set block-policy drop
set loginterface $ext_if

set skip on { lo0 gif0 }

# scrub
scrub in all

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $ext_if proto tcp from xxx.xxx.xxx.xxx to port { $tcp_rdr } -> $host_rdr
rdr on $int_if inet proto tcp to !(self) port 80 -> 127.0.0.1 port 3128

# filter rules
block in log

pass out all keep state

antispoof quick for { lo0 $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port { $tcp_in } flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $host_rdr port { $tcp_rdr } flags S/SA keep state
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if

Вроде бы правила для ssh и для остальных портов идентичны, но ssh закрыт, а остальные нет!
При попытке законектиться извне по ssh, отваливается по тайм ауту, в логах тишина. Прямо аномалия какая-то.

# pfctl -sr
scrub in all fragment reassemble
block drop in log all
pass out all keep state
block drop in quick on ! lo0 inet from 127.0.0.0/8 to any
block drop in quick on ! rl0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.1 to any
pass in on an0 inet proto tcp from any to (an0) port = ssh flags S/SA keep state
pass in on an0 inet proto tcp from any to (an0) port = smtp flags S/SA keep state
pass in on an0 inet proto tcp from any to (an0) port = http flags S/SA keep state
pass in on an0 inet proto tcp from any to (an0) port = pop3 flags S/SA keep state
pass in on an0 inet proto tcp from any to (an0) port = auth flags S/SA keep state
pass in on an0 inet proto tcp from any to (an0) port = https flags S/SA keep state
pass in on an0 inet proto tcp from any to (an0) port = smtps flags S/SA keep state
pass in on an0 inet proto tcp from any to (an0) port = pop3s flags S/SA keep state
pass in on an0 inet proto tcp from any to 192.168.1.10 port = ica flags S/SA keep state
pass in on an0 inet proto tcp from any to 192.168.1.10 port = rdp flags S/SA keep state
pass in on rl0 inet proto tcp from any to 127.0.0.1 port = 3128 keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass quick on rl0 all