pf and carp

• Previous message: Marcin Jessa: "Resume with ACPI doesn't work on ThinkPad R50e"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 8 Jun 2005 21:20:42 -0000 (UTC)
To: freebsd-current@freebsd.org

my setup is at

http://pastebin.ca/13602

the pf has changed alot since that post..
but mainly my problem is a pf configuration issue..

020096 rule 6/0(match): pass in on xl0: IP 172.16.0.101.14906 >
192.168.1.22.47468: UDP, length: 172
019964 rule 6/0(match): pass in on xl0: IP 172.16.0.101.14906 >

first 192.168.x is the client internal ip from far far away... why is it
here ?i dont know

also .. on client side i see those as beging 172.16.0.101

so i need to rewrite my internal to exeternal..

problem is it doesnt work..

Any help appreciated...

my pf.conf

# Variable definitions.
#

ext_if = "xl2"
int_if = "xl0"
loop = "lo0"
pfsync_if="xl1"

ext_ifs = "{ xl2, carp0, carp1 }"
int_ifs = "{ xl0, carp2, carp3 }"

ext_carps= "{ carp0 ,carp1 }"

ext_ip = "204.18.109.140"
int_ip = "172.16.0.200"

server ="{ 172.16.0.101 ,172.16.0.100}"
int_net ="172.16.0.1/24"

voip_tcp = "5060"
voip_udp = "{5060, 4569, 5036, 9999 >< 20001, 2727}"

table <asts> { 172.16.0.100, 172.16.0.101 }

#TCP_OPTIONS = "flags S/SAFRUP keep state"
TCP_OPTIONS = " keep state"

reserved = " {
        0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
        169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
        224.0.0.0/3, 255.255.255.255 } "

scrub in on $ext_if all

####
# Nat rules
#
#internal out rewriting ?

#perform NAT on the xl2 interface for any packets coming from
172.16.0.0/24 and to replace the source IP address with 204.18.109.140
nat on $ext_ifs from $int_if/24 to any -> $ext_ip

nat on $int_if proto tcp from $int_net to $server -> $int_ip
nat on $int_if proto udp from $int_net to $server -> $int_ip
###nat pass on $int_ifs from $int_net to any -> $ext_ip

#no nat on $ext_if from 204.18.109.140 to any

### PLAYING

binat on $ext_ifs from 172.16.0.101 to any -> 204.18.109.140
binat on $ext_ifs from 172.16.0.100 to any -> 204.18.109.140

#### END PALYING

#rewrite to loadbalance
#rdr on $ext_carps inet proto tcp from any to $ext_ip port 4569 ->
172.16.0.101 port 4569
#rdr on $ext_carps inet proto tcp from any to $ext_ip port 5060 ->
172.16.0.101 port 5060

#rdr on $ext_carps inet proto udp from any to $ext_ip port 5060 ->
172.16.0.101 port 5060

#rdr pass on $ext_if proto tcp from any to any port 80 -> $server port 80

rdr pass on $ext_ifs proto tcp from any to any port 80 -> $server port 80
rdr pass on $ext_ifs proto tcp from any to any port 4569 -> $server port 4569
rdr pass on $ext_ifs proto tcp from any to any port 5060 -> $server port 5060

rdr pass on $ext_ifs proto udp from any to any port 4569 -> $server port 4569
rdr pass on $ext_ifs proto udp from any to any port 5060 -> $server port 5060
rdr pass on $ext_ifs proto udp from any to any port 9999:20001 -> $server
rdr pass on $ext_ifs proto udp from any to any port 2727 -> $server port
2727

rdr pass on $ext_ifs proto tcp from any to any port $voip_tcp -> $server
port $voip_tcp
rdr pass on $ext_ifs proto udp from any to any -> $server

###
#RULES
#

block out log-all on $ext_if all
block in log-all on $ext_if all

#carp rules
pass out log-all on $ext_carps proto carp keep state

#pfsunc rules
pass on $pfsync_if proto pfsync

#local nic all pass Rule #1
pass in quick on lo0 all

# log and allow all on int_if i should add quick
pass log-all on $int_if all

###################################################### OUT
###########################

#PASSOUT INTERNAL NET
pass out quick log-all on $int_if inet proto tcp from $int_if to any
keep state
pass out quick log-all on $ext_ifs inet proto tcp from $ext_ifs to any
keep state

# Main pass out ------ BAILS OUT OF RULES
#pass out log quick on $ext_if proto udp all keep state
pass out log quick on $ext_ifs proto udp all keep state
pass out log quick on $int_if proto udp all keep state
#pass out log quick on $ext_if proto tcp all keep state
pass out log quick on $ext_ifs proto tcp all keep state
pass out log quick on $int_if proto tcp all keep state

###################################################### IN
###########################

#DNS ------ BAILS OUT OF RULES
pass in quick on $ext_if proto udp from any port = 53 to $ext_if port =
53 keep state
pass in quick on $int_if proto udp from any port = 53 to $ext_if port =
53 keep state

#WEB ------ BAILS OUT OF RULES
pass in log-all quick on $ext_if inet proto carp from any to $ext_ifs
$TCP_OPTIONS
pass in log-all quick on $ext_if inet proto tcp from any to $ext_ifs
port 80 $TCP_OPTIONS

#asterisk 4569 5060------ BAILS OUT OF RULES

pass in log-all on $ext_ifs inet proto tcp from any to any port
$voip_tcp flags S/SA keep state
pass out log-all on $ext_ifs inet proto tcp all flags S/SA keep state
pass in log-all on $ext_ifs inet proto udp from any to any port
$voip_udp keep state
pass out log-all on $ext_ifs proto udp all keep state

pass in log-all quick on $ext_ifs inet proto tcp from any to $ext_ifs
port 5060 $TCP_OPTIONS
pass in log-all quick on $ext_ifs inet proto udp from any to $ext_ifs
port 5060 $TCP_OPTIONS

pass in log-all quick on $ext_ifs inet proto tcp from any to $ext_ifs
port 4569 $TCP_OPTIONS
pass in log-all quick on $ext_ifs inet proto udp from any to $ext_ifs
port 4569 $TCP_OPTIONS

pass in log-all on $ext_ifs inet proto udp from any to any
port $voip_udp $TCP_OPTIONS

#SSH ------ BAILS OUT OF RULES
pass in log-all quick inet proto tcp from any to $ext_if port 1978
keep state

#ICMP Both ways

pass in on $ext_ifs inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_ifs inet proto icmp all icmp-type 36 keep state
pass out on $ext_ifs inet proto icmp all keep state
pass out on $int_ifs inet proto icmp all keep state

Frank

_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

• Previous message: Marcin Jessa: "Resume with ACPI doesn't work on ThinkPad R50e"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages irc-icq over obsd-gateway ... I set up port 4000-4005 in Connect/options/Advanced in the irc-options ... block return-icmp out log on $ext proto udp all ... block in log quick on $ext inet proto tcp from any to any flags FUP/FUP ... (comp.unix.bsd.openbsd.misc) active ftp ... Does anyone have a pf config for active ftp? ... # Redirect lan client FTP requests ... # to the ftp-proxy running on the firewall host (via inetd on port 8021) ... rdr on $int_if inet proto tcp from $int_if:network to any port www -> ... (comp.unix.bsd.openbsd.misc) PF configuration problem / lag ... queue q_high priority 4 priq ... pass in quick on $ext_if inet proto tcp to port $in_services_tcp flags S/S ... keep state label ServicesTCP ... (comp.unix.bsd.openbsd.misc) Re: pf and ftp from gateway ... # ephemeral port, so that the remote SIP proxy knows what session we belong ... pass in quick on $ext_if inet proto udp from any port bootps to ... pass out quick on $ext_if inet proto udp from $ext_if to any port bootps ... # allow lan requests from lan clients to exit EXT ... (comp.unix.bsd.openbsd.misc) pf + ftpd: Socket error (Connection refused) ... My FreeBSD server is running its native ftpd along with pf and its ftp-proxy. ... rdr on $ext_if proto tcp from any to any port 53333:55555 -> ... pass in on $ext_if inet proto tcp from any to port { ... pass in on $ext_if inet proto udp from any to port 53 keep state ... (freebsd-questions)