From owner-freebsd-pf@FreeBSD.ORG  Tue Nov 30 17:50:45 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A2A5F16A4CE
	for <freebsd-pf@freebsd.org>; Tue, 30 Nov 2004 17:50:45 +0000 (GMT)
Received: from web52210.mail.yahoo.com (web52210.mail.yahoo.com
	[206.190.39.92])	by mx1.FreeBSD.org (Postfix) with SMTP id 3567143D2F
	for <freebsd-pf@freebsd.org>; Tue, 30 Nov 2004 17:50:45 +0000 (GMT)
	(envelope-from mirobercik@yahoo.com)
Received: (qmail 72093 invoked by uid 60001); 30 Nov 2004 17:50:44 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=s1024; d=yahoo.com;
	b=obqXP78UB73NovlWmMNP3jYcqxr52Y3JtBIicj20+mleS2ZgQnxITSFszIreGB8tJ1w9cn7cNsWL8YzgFD/AotODg9qnCIaauwn5B/iB2rKkFh/pSw4x3edm5oB/qJvKjMUhWFsVFg4yFUfOAXq8ZIjEXHZsZhvqjy/jQAvwEek=
	;
Message-ID: <20041130175044.72091.qmail@web52210.mail.yahoo.com>
Received: from [193.110.229.165] by web52210.mail.yahoo.com via HTTP;
	Tue, 30 Nov 2004 09:50:44 PST
Date: Tue, 30 Nov 2004 09:50:44 -0800 (PST)
From: Robert M <mirobercik@yahoo.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: 3 gateways problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2004 17:50:45 -0000

Hello,

I have a problem with source routing via 3 gateways.

All I need, is to be able to get in to my local
machine
via 'rdr' rule.

All connections are routed via firewall box
with 4 ethernet cards.

I don't want this done via 'binat' ruel as I only
want to rdr some ports.

When telneting from external host to:
83.16.196.130 port 22 -> I want to be redirected to
192.168.1.1 port 22
As well as:
194.110.229.163 port 22 -> 192.168.1.1 22

This also can be done by adding a new eg. 192.168.1.2 
IP to my local machine, but it requires daemon binging
setting changes.. so I'd rather not.

The problem is that 1/2 connections are estabilished
properly.

I assume it's a problem with rule:
pass in quick on $ifInt route-to { ($ifDSL3
$gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to !
$netLocal keep state

where system doesn't know, which gateway should be
used
for return packet.

Below is my pf.conf (sorry it's messy a little).

OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Fri
Jul 16 16:17:52 UTC 2004    
root@fw:/usr/obj/usr/src/sys/TUNED  i386

Thank you!

Regards,
Robert

------- pf.conf -----
# vars
ifInt="rl0"
ifDSL1="rl1"
ifDSL2="rl2"
ifDSL3="rl3"

exLocal="192.168.0.3"
exDSL3="194.110.229.164"
robertLocal="192.168.0.4"
robertDSL3="194.110.229.165"
develDSL3="194.110.229.163"
fwDSL3="194.110.229.162"

## networds
netDSL1="83.16.196.120/29"      # dsl1
gwDSL1="83.16.196.121"          #   gw

netDSL2="83.16.196.128/29"      # dsl2
gwDSL2="83.16.196.129"          #   gw

netPSN="192.168.0.0/24"         # Private Service
Network (

netDMZ="192.168.1.0/24"         # Demilitarized Zone
(hostDevel)
hostDevel="192.168.1.1"         #   devel
netLocal="192.168.0.0/16"       # psn+dmz

netDSL3="194.110.229.160/27"    # DSL3
gwDSL3="194.110.229.161"        # gw

## altq
altq on $ifDSL1 priq bandwidth 250Kb queue { q1pri,
q1ssh, q1def }
queue q1pri priority 7
queue q1ssh priority 5
queue q1def priority 1 priq(default)

altq on $ifDSL2 priq bandwidth 250Kb queue { q2pri,
q2ssh, q2def }
queue q2pri priority 7
queue q2ssh priority 5
queue q2def priority 1 priq(default)
altq on $ifDSL3 priq bandwidth 2000Kb queue { q3pri,
q3ssh, q3def }
queue q3pri priority 7
queue q3ssh priority 5
queue q3def priority 1 priq(default)


## nat 1:n (output)
nat on $ifDSL1 from $netLocal to ! $netLocal ->
83.16.196.122   # dsl1
nat on $ifDSL2 from $hostDevel to ! $netLocal ->
83.16.196.130  # dsl2
nat on $ifDSL2 from $netLocal to ! $netLocal ->
83.16.196.130
nat on $ifDSL3  from $netLocal to ! $netLocal ->
194.110.229.162 # DSL3
nat on $ifDSL3 from 192.168.1.1 to ! $netLocal ->
$develDSL3    # devel(DSL3)

## nat 1:1 (input)
# devel
rdr on $ifDSL1 proto tcp from any       to
83.16.196.123 port { 21, 22, 25, 80, 110, 443, 465,
993, 995, 19000:19500 } -> 192.
168.1.1
rdr on $ifDSL2 proto tcp from any       to
83.16.196.130 port { 21, 22, 25, 80, 110, 443, 465,
993, 995, 19000:19500 } -> 192.
168.1.1
rdr on $ifDSL3 proto tcp from any       to
194.110.229.163 port { 21, 22, 25, 80, 110, 443, 465,
993, 995, 19000:19500 } -> 19
2.168.1.1

rdr on $ifDSL2 proto tcp from any       to
83.16.196.131 port { 25 } -> 192.168.1.1 port 2030
rdr on $ifInt  proto tcp from $netLocal to
83.16.196.130 port { 21, 22, 25, 80, 110, 443, 137,
138, 139, 465, 993, 995, 2401 }
 -> 192.168.1.1

rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 443 } -> 192.168.0.3 port 22
rdr on $ifDSL2 proto tcp from any to 83.16.196.130
port { 6100, 6101, 6102 } -> 192.168.0.3

rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 5900 } -> 192.168.0.4

rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 5901 } -> 192.168.0.6 port 5900
rdr on $ifDSL2 proto tcp from any to 83.16.196.130
port { 5901 } -> 192.168.0.6 port 5900
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 5801 } -> 192.168.0.6
rdr on $ifDSL1 proto udp from any to 83.16.196.122
port { 5801 } -> 192.168.0.6
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 5903 } -> 192.168.0.24 port 3389

rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 3389 } -> 192.168.0.24
rdr on $ifDSL1 proto tcp from any to 83.16.196.122
port { 3390 } -> 192.168.0.5 port 3389
rdr on $ifDSL1 proto tcp from 80.55.58.238 to
83.16.196.122 port { 6000 } -> 192.168.0.9 port 6000
rdr on $ifDSL1 proto udp from 80.55.58.238 to
83.16.196.122 port { 177 } -> 192.168.0.9 port 177
rdr on $ifDSL1 proto tcp from 80.55.58.238 to
83.16.196.122 port { 22 } -> 192.168.0.9 port 22
rdr on $ifDSL2 proto tcp from any to 83.16.196.132
port { 25 } -> 192.168.1.1 port 27

##  binat
binat on $ifDSL3 from $exLocal to ! $netLocal ->
$exDSL3
binat on $ifDSL3 from $robertLocal to ! $netLocal ->
$robertDSL3

# source routing
pass in quick on $ifInt route-to { ($ifDSL3
$gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to !
$netLocal keep state
pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) }
from any to 136.159.158.52 keep state # -> myweb via
dsl2
pass in quick on $ifInt route-to { ($ifDSL3 $gwDSL3) }
from { 192.168.0.3 , 192.168.0.4 } to ! $netLocal keep
state # -> DSL3
pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) }
from $netPSN to ! $netLocal keep state # -> dsl1
pass in quick on $ifInt route-to { ($ifDSL2 $gwDSL2) }
from $netDMZ to ! $netLocal keep state # -> dsl2

# queues
# DSL1
pass out  on $ifDSL1 proto tcp from any to any port 22
flags S/SA \
        keep state queue (q1ssh, q1pri)
pass out on $ifDSL1 proto tcp from $ifDSL1 to any
flags S/SA \
        keep state queue (q1def, q1pri)
pass in  on $ifDSL1 proto tcp from any to $ifDSL1
flags S/SA \
        keep state queue (q1def, q1pri)

#DSL 2
pass out on $ifDSL2 proto tcp from any to any port 22
flags S/SA \
        keep state queue (q2ssh, q2pri)
pass out on $ifDSL2 proto tcp from $ifDSL2 to any
flags S/SA \
        keep state queue (q2def, q2pri)
pass in  on $ifDSL2 proto tcp from any to $ifDSL2
flags S/SA \
        keep state queue (q2def, q2pri)


#DSL3
pass out  on $ifDSL3 proto tcp from any to any port 22
flags S/SA \
        keep state queue (q3ssh, q3pri)
pass out on $ifDSL3 proto tcp from $ifDSL3 to any
flags S/SA \
        keep state queue (q3def, q3pri)
pass in  on $ifDSL3 proto tcp from any to $ifDSL3
flags S/SA \
        keep state queue (q3def, q3pri)
--- end of pf.conf ----


	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail