Re: problem configuring ipfilter for multiple network routing

From: Joćo Assad (jfassad_at_parperfeito.com.br)
Date: 10/20/04

  • Next message: Charles Sprickman: "Re: Disk I/O Performance with CCD" 
    Date: Wed, 20 Oct 2004 12:47:56 -0300
To: isp@freebsd.org

    No response...

    So I take it its either an ipfilter or FreeBSD limitation ?

    Joćo Assad wrote:

    > Hello guys,
    >
    > I have a firewall with 3 network interfaces, 2 external (fxp1 and
    > fxp2) and 1 internal (fxp0)
    > fxp0 is connected to my private network while fxp1 and fxp2 are
    > connected to two different ISPs.
    >
    > Im trying to use ipfilter to route outgoing packets trough two
    > different interfaces and their respective gateways based on the
    > packet's source IP.
    >
    > My problem is that when a packet comes from 10.1.0.0/16, it is
    > correctly routed through the fxp2 interface and reach the
    > destination... but the reply packets are lost in my firewall and never
    > reach the sender IP from 10.1.0.0/16 network.
    >
    > packets coming from 10.0.0.0/16 work perfectly.
    >
    > You can see what Im trying to do at
    > http://www.bsdnews.org/01/policy_routing.php - *Example 3 - Routing
    > for Multiple Network*
    > The difference is that Im using stateful rules.
    >
    > My guess is that the reply packets coming from the destination IP do
    > not match the rules in the state table created by ipfilter
    >
    > a telnet to www.google.com 80 will generate this rule in the state table:
    >
    > 10.1.4.1 -> 216.239.39.99 ttl 3596 pass 0x5006 pr 6 state 4/3
    > pkts 4 bytes 188 32830 -> 80 fd654c28:18ea8803
    > 5840<<0:8190<<0
    > pass out quick keep state IPv4
    > pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
    > pkt_security & ffff = 0, pkt_auth & ffff = 0
    > interfaces: in fxp0,fxp2 out fxp1,fxp0
    >
    >
    > Any idea on how to fix it ? ipnat and ipfilter configuration below:
    >
    > Thanks in advance.
    >
    > ----ipnat.rules:
    > map fxp1 10.0.0.0/16 -> a.b.c.d/32 portmap tcp/udp 1025:65000
    > map fxp1 10.0.0.0/16 -> a.b.c.d/32
    >
    > map fxp2 10.1.0.0/16 -> e.f.g.h/32 portmap tcp/udp 1025:65000
    > map fxp2 10.1.0.0/16 -> e.f.g.h/32
    >
    >
    > ----ipf.rules:
    > pass out quick on fxp1 to fxp2:fxp2_gateway from 10.1.0.0/16 to any
    > keep state
    >
    > block return-rst in log on fxp1 proto tcp all flags S head 100
    > pass in proto tcp from any to 10.0.5.1/32 port = 25 flags S keep
    > state group 100
    >
    > block out log on fxp1 all head 150
    > pass out proto tcp all flags S/SA keep state group 150
    > pass out proto udp all keep state group 150
    > pass out proto icmp all keep state group 150
    >
    > block return-icmp-as-dest(port-unr) in log on fxp1 proto udp all head 155
    > block in proto udp from any to a.b.c.d/32 port = 137 group 155
    >
    > block return-rst in log on fxp2 proto tcp all flags S head 200
    > pass in proto tcp from any to 10.1.5.1/32 port = 25 flags S keep
    > state group 200
    >
    > block out log on fxp2 all head 250
    > pass out proto tcp all flags S/SA keep state group 250
    > pass out proto udp all keep state group 250
    > pass out proto icmp all keep state group 250
    >
    > block return-icmp-as-dest(port-unr) in log on fxp2 proto udp all head 255
    > block in proto udp from any to e.f.g.h/32 port = 137 group 255
    >
    > pass in quick on fxp0 all
    > pass out quick on fxp0 all
    >
    > pass in quick on lo0 all
    > pass out quick on lo0 all
    > 

    -- 
--------------------------------
- Joćo Assad
- ParPerfeito Comunicaēćo LTDA
- http://www.parperfeito.com.br/
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
  • Next message: Charles Sprickman: "Re: Disk I/O Performance with CCD"