Date: Tue, 30 Nov 2004 21:02:06 +0200 From: Claudiu Dragalia-Paraipan <dr.clau@gmail.com> To: Robert M <mirobercik@yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: 3 gateways problem Message-ID: <41ACC3AE.4020309@gmail.com> In-Reply-To: <20041130175044.72091.qmail@web52210.mail.yahoo.com> References: <20041130175044.72091.qmail@web52210.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBA86253A7F57B70C811E1610 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, maybe this helps you. It is a part of the PF FAQ that you can find at http://www.openbsd.org/faq/pf/ ---------- http://cvs.openbsd.org/faq/pf/pools.html ... To ensure that packets with a source address belonging to $ext_if1 are always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the following two lines should be included in the ruleset: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \ to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \ to any Finally, NAT can also be used on each outgoing interface: nat on $ext_if1 from $lan_net to any -> ($ext_if1) nat on $ext_if2 from $lan_net to any -> ($ext_if2) ... ---------- Robert M wrote: > Hello, > > I have a problem with source routing via 3 gateways. > > All I need, is to be able to get in to my local > machine > via 'rdr' rule. > > All connections are routed via firewall box > with 4 ethernet cards. > > I don't want this done via 'binat' ruel as I only > want to rdr some ports. > > When telneting from external host to: > 83.16.196.130 port 22 -> I want to be redirected to > 192.168.1.1 port 22 > As well as: > 194.110.229.163 port 22 -> 192.168.1.1 22 > > This also can be done by adding a new eg. 192.168.1.2 > IP to my local machine, but it requires daemon binging > setting changes.. so I'd rather not. > > The problem is that 1/2 connections are estabilished > properly. > > I assume it's a problem with rule: > pass in quick on $ifInt route-to { ($ifDSL3 > $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! > $netLocal keep state > > where system doesn't know, which gateway should be > used > for return packet. > > Below is my pf.conf (sorry it's messy a little). > > OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Fri > Jul 16 16:17:52 UTC 2004 > root@fw:/usr/obj/usr/src/sys/TUNED i386 > > Thank you! > > Regards, > Robert > > ------- pf.conf ----- > # vars > ifInt="rl0" > ifDSL1="rl1" > ifDSL2="rl2" > ifDSL3="rl3" > > exLocal="192.168.0.3" > exDSL3="194.110.229.164" > robertLocal="192.168.0.4" > robertDSL3="194.110.229.165" > develDSL3="194.110.229.163" > fwDSL3="194.110.229.162" > > ## networds > netDSL1="83.16.196.120/29" # dsl1 > gwDSL1="83.16.196.121" # gw > > netDSL2="83.16.196.128/29" # dsl2 > gwDSL2="83.16.196.129" # gw > > netPSN="192.168.0.0/24" # Private Service > Network ( > > netDMZ="192.168.1.0/24" # Demilitarized Zone > (hostDevel) > hostDevel="192.168.1.1" # devel > netLocal="192.168.0.0/16" # psn+dmz > > netDSL3="194.110.229.160/27" # DSL3 > gwDSL3="194.110.229.161" # gw > > ## altq > altq on $ifDSL1 priq bandwidth 250Kb queue { q1pri, > q1ssh, q1def } > queue q1pri priority 7 > queue q1ssh priority 5 > queue q1def priority 1 priq(default) > > altq on $ifDSL2 priq bandwidth 250Kb queue { q2pri, > q2ssh, q2def } > queue q2pri priority 7 > queue q2ssh priority 5 > queue q2def priority 1 priq(default) > altq on $ifDSL3 priq bandwidth 2000Kb queue { q3pri, > q3ssh, q3def } > queue q3pri priority 7 > queue q3ssh priority 5 > queue q3def priority 1 priq(default) > > > ## nat 1:n (output) > nat on $ifDSL1 from $netLocal to ! $netLocal -> > 83.16.196.122 # dsl1 > nat on $ifDSL2 from $hostDevel to ! $netLocal -> > 83.16.196.130 # dsl2 > nat on $ifDSL2 from $netLocal to ! $netLocal -> > 83.16.196.130 > nat on $ifDSL3 from $netLocal to ! $netLocal -> > 194.110.229.162 # DSL3 > nat on $ifDSL3 from 192.168.1.1 to ! $netLocal -> > $develDSL3 # devel(DSL3) > > ## nat 1:1 (input) > # devel > rdr on $ifDSL1 proto tcp from any to > 83.16.196.123 port { 21, 22, 25, 80, 110, 443, 465, > 993, 995, 19000:19500 } -> 192. > 168.1.1 > rdr on $ifDSL2 proto tcp from any to > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 465, > 993, 995, 19000:19500 } -> 192. > 168.1.1 > rdr on $ifDSL3 proto tcp from any to > 194.110.229.163 port { 21, 22, 25, 80, 110, 443, 465, > 993, 995, 19000:19500 } -> 19 > 2.168.1.1 > > rdr on $ifDSL2 proto tcp from any to > 83.16.196.131 port { 25 } -> 192.168.1.1 port 2030 > rdr on $ifInt proto tcp from $netLocal to > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 137, > 138, 139, 465, 993, 995, 2401 } > -> 192.168.1.1 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 443 } -> 192.168.0.3 port 22 > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > port { 6100, 6101, 6102 } -> 192.168.0.3 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5900 } -> 192.168.0.4 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5901 } -> 192.168.0.6 port 5900 > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > port { 5901 } -> 192.168.0.6 port 5900 > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5801 } -> 192.168.0.6 > rdr on $ifDSL1 proto udp from any to 83.16.196.122 > port { 5801 } -> 192.168.0.6 > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5903 } -> 192.168.0.24 port 3389 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 3389 } -> 192.168.0.24 > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 3390 } -> 192.168.0.5 port 3389 > rdr on $ifDSL1 proto tcp from 80.55.58.238 to > 83.16.196.122 port { 6000 } -> 192.168.0.9 port 6000 > rdr on $ifDSL1 proto udp from 80.55.58.238 to > 83.16.196.122 port { 177 } -> 192.168.0.9 port 177 > rdr on $ifDSL1 proto tcp from 80.55.58.238 to > 83.16.196.122 port { 22 } -> 192.168.0.9 port 22 > rdr on $ifDSL2 proto tcp from any to 83.16.196.132 > port { 25 } -> 192.168.1.1 port 27 > > ## binat > binat on $ifDSL3 from $exLocal to ! $netLocal -> > $exDSL3 > binat on $ifDSL3 from $robertLocal to ! $netLocal -> > $robertDSL3 > > # source routing > pass in quick on $ifInt route-to { ($ifDSL3 > $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! > $netLocal keep state > pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) } > from any to 136.159.158.52 keep state # -> myweb via > dsl2 > pass in quick on $ifInt route-to { ($ifDSL3 $gwDSL3) } > from { 192.168.0.3 , 192.168.0.4 } to ! $netLocal keep > state # -> DSL3 > pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) } > from $netPSN to ! $netLocal keep state # -> dsl1 > pass in quick on $ifInt route-to { ($ifDSL2 $gwDSL2) } > from $netDMZ to ! $netLocal keep state # -> dsl2 > > # queues > # DSL1 > pass out on $ifDSL1 proto tcp from any to any port 22 > flags S/SA \ > keep state queue (q1ssh, q1pri) > pass out on $ifDSL1 proto tcp from $ifDSL1 to any > flags S/SA \ > keep state queue (q1def, q1pri) > pass in on $ifDSL1 proto tcp from any to $ifDSL1 > flags S/SA \ > keep state queue (q1def, q1pri) > > #DSL 2 > pass out on $ifDSL2 proto tcp from any to any port 22 > flags S/SA \ > keep state queue (q2ssh, q2pri) > pass out on $ifDSL2 proto tcp from $ifDSL2 to any > flags S/SA \ > keep state queue (q2def, q2pri) > pass in on $ifDSL2 proto tcp from any to $ifDSL2 > flags S/SA \ > keep state queue (q2def, q2pri) > > > #DSL3 > pass out on $ifDSL3 proto tcp from any to any port 22 > flags S/SA \ > keep state queue (q3ssh, q3pri) > pass out on $ifDSL3 proto tcp from $ifDSL3 to any > flags S/SA \ > keep state queue (q3def, q3pri) > pass in on $ifDSL3 proto tcp from any to $ifDSL3 > flags S/SA \ > keep state queue (q3def, q3pri) > --- end of pf.conf ---- > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - You care about security. So do we. > http://promotions.yahoo.com/new_mail > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Claudiu Dragalina-Paraipan dr.clau@gmail.com --------------enigBA86253A7F57B70C811E1610 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrMOzm0FWxb+swkQRAhy5AJ4uIErr55NGLI9hNHf1E66NeIMNlACePJry 86vU+o9lKWlBeKWXyggjF/I= =HOTx -----END PGP SIGNATURE----- --------------enigBA86253A7F57B70C811E1610--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41ACC3AE.4020309>