Date: Tue, 30 Nov 2004 09:50:44 -0800 (PST) From: Robert M <mirobercik@yahoo.com> To: freebsd-pf@freebsd.org Subject: 3 gateways problem Message-ID: <20041130175044.72091.qmail@web52210.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello,
I have a problem with source routing via 3 gateways.
All I need, is to be able to get in to my local
machine
via 'rdr' rule.
All connections are routed via firewall box
with 4 ethernet cards.
I don't want this done via 'binat' ruel as I only
want to rdr some ports.
When telneting from external host to:
83.16.196.130 port 22 -> I want to be redirected to
192.168.1.1 port 22
As well as:
194.110.229.163 port 22 -> 192.168.1.1 22
This also can be done by adding a new eg. 192.168.1.2
IP to my local machine, but it requires daemon binging
setting changes.. so I'd rather not.
The problem is that 1/2 connections are estabilished
properly.
I assume it's a problem with rule:
pass in quick on $ifInt route-to { ($ifDSL3
$gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to !
$netLocal keep state
where system doesn't know, which gateway should be
used
for return packet.
Below is my pf.conf (sorry it's messy a little).
OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Fri
Jul 16 16:17:52 UTC 2004
root@fw:/usr/obj/usr/src/sys/TUNED i386
Thank you!
Regards,
Robert
------- pf.conf -----
# vars
ifInt="rl0"
ifDSL1="rl1"
ifDSL2="rl2"
ifDSL3="rl3"
exLocal="192.168.0.3"
exDSL3="194.110.229.164"
robertLocal="192.168.0.4"
robertDSL3="194.110.229.165"
develDSL3="194.110.229.163"
fwDSL3="194.110.229.162"
## networds
netDSL1="83.16.196.120/29" # dsl1
gwDSL1="83.16.196.121" # gw
netDSL2="83.16.196.128/29" # dsl2
gwDSL2="83.16.196.129" # gw
netPSN="192.168.0.0/24" # Private Service
Network (
netDMZ="192.168.1.0/24" # Demilitarized Zone
(hostDevel)
hostDevel="192.168.1.1" # devel
netLocal="192.168.0.0/16" # psn+dmz
netDSL3="194.110.229.160/27" # DSL3
gwDSL3="194.110.229.161" # gw
## altq
altq on $ifDSL1 priq bandwidth 250Kb queue { q1pri,
q1ssh, q1def }
queue q1pri priority 7
queue q1ssh priority 5
queue q1def priority 1 priq(default)
altq on $ifDSL2 priq bandwidth 250Kb queue { q2pri,
q2ssh, q2def }
queue q2pri priority 7
queue q2ssh priority 5
queue q2def priority 1 priq(default)
altq on $ifDSL3 priq bandwidth 2000Kb queue { q3pri,
q3ssh, q3def }
queue q3pri priority 7
queue q3ssh priority 5
queue q3def priority 1 priq(default)
## nat 1:n (output)
nat on $ifDSL1 from $netLocal to ! $netLocal ->
83.16.196.122 # dsl1
nat on $ifDSL2 from $hostDevel to ! $netLocal ->
83.16.196.130 # dsl2
nat on $ifDSL2 from $netLocal to ! $netLocal ->
83.16.196.130
nat on $ifDSL3 from $netLocal to ! $netLocal ->
194.110.229.162 # DSL3
nat on $ifDSL3 from 192.168.1.1 to ! $netLocal ->
$develDSL3 # devel(DSL3)
## nat 1:1 (input)
# devel
rdr on $ifDSL1 proto tcp from any to
83.16.196.123 port { 21, 22, 25, 80, 110, 443, 465,
993, 995, 19000:19500 } -> 192.
168.1.1
rdr on $ifDSL2 proto tcp from any to
83.16.196.130 port { 21, 22, 25, 80, 110, 443, 465,
993, 995, 19000:19500 } -> 192.
168.1.1
rdr on $ifDSL3 proto tcp from any to
194.110.229.163 port { 21, 22, 25, 80, 110, 443, 465,
993, 995, 19000:19500 } -> 19
2.168.1.1
rdr on $ifDSL2 proto tcp from any to
83.16.196.131 port { 25 } -> 192.168.1.1 port 2030
rdr on $ifInt proto tcp from $netLocal to
83.16.196.130 port { 21, 22, 25, 80, 110, 443, 137,
138, 139, 465, 993, 995, 2401 }
-> 192.168.1.1
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 443 } -> 192.168.0.3 port 22
rdr on $ifDSL2 proto tcp from any to 83.16.196.130
port { 6100, 6101, 6102 } -> 192.168.0.3
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 5900 } -> 192.168.0.4
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 5901 } -> 192.168.0.6 port 5900
rdr on $ifDSL2 proto tcp from any to 83.16.196.130
port { 5901 } -> 192.168.0.6 port 5900
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 5801 } -> 192.168.0.6
rdr on $ifDSL1 proto udp from any to 83.16.196.122
port { 5801 } -> 192.168.0.6
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 5903 } -> 192.168.0.24 port 3389
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 3389 } -> 192.168.0.24
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 3390 } -> 192.168.0.5 port 3389
rdr on $ifDSL1 proto tcp from 80.55.58.238 to
83.16.196.122 port { 6000 } -> 192.168.0.9 port 6000
rdr on $ifDSL1 proto udp from 80.55.58.238 to
83.16.196.122 port { 177 } -> 192.168.0.9 port 177
rdr on $ifDSL1 proto tcp from 80.55.58.238 to
83.16.196.122 port { 22 } -> 192.168.0.9 port 22
rdr on $ifDSL2 proto tcp from any to 83.16.196.132
port { 25 } -> 192.168.1.1 port 27
## binat
binat on $ifDSL3 from $exLocal to ! $netLocal ->
$exDSL3
binat on $ifDSL3 from $robertLocal to ! $netLocal ->
$robertDSL3
# source routing
pass in quick on $ifInt route-to { ($ifDSL3
$gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to !
$netLocal keep state
pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) }
from any to 136.159.158.52 keep state # -> myweb via
dsl2
pass in quick on $ifInt route-to { ($ifDSL3 $gwDSL3) }
from { 192.168.0.3 , 192.168.0.4 } to ! $netLocal keep
state # -> DSL3
pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) }
from $netPSN to ! $netLocal keep state # -> dsl1
pass in quick on $ifInt route-to { ($ifDSL2 $gwDSL2) }
from $netDMZ to ! $netLocal keep state # -> dsl2
# queues
# DSL1
pass out on $ifDSL1 proto tcp from any to any port 22
flags S/SA \
keep state queue (q1ssh, q1pri)
pass out on $ifDSL1 proto tcp from $ifDSL1 to any
flags S/SA \
keep state queue (q1def, q1pri)
pass in on $ifDSL1 proto tcp from any to $ifDSL1
flags S/SA \
keep state queue (q1def, q1pri)
#DSL 2
pass out on $ifDSL2 proto tcp from any to any port 22
flags S/SA \
keep state queue (q2ssh, q2pri)
pass out on $ifDSL2 proto tcp from $ifDSL2 to any
flags S/SA \
keep state queue (q2def, q2pri)
pass in on $ifDSL2 proto tcp from any to $ifDSL2
flags S/SA \
keep state queue (q2def, q2pri)
#DSL3
pass out on $ifDSL3 proto tcp from any to any port 22
flags S/SA \
keep state queue (q3ssh, q3pri)
pass out on $ifDSL3 proto tcp from $ifDSL3 to any
flags S/SA \
keep state queue (q3def, q3pri)
pass in on $ifDSL3 proto tcp from any to $ifDSL3
flags S/SA \
keep state queue (q3def, q3pri)
--- end of pf.conf ----
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041130175044.72091.qmail>