From owner-freebsd-pf@FreeBSD.ORG Tue Nov 30 19:01:10 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B85416A4CE for ; Tue, 30 Nov 2004 19:01:10 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id C85FB43D5E for ; Tue, 30 Nov 2004 19:01:08 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by rproxy.gmail.com with SMTP id b11so529820rne for ; Tue, 30 Nov 2004 11:01:02 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:return-path:message-id:disposition-notification-to:date:from:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:x-enigmail-supports:content-type; b=ZoXa1h74fJZO3rtYRcqM9X1gvyWU0G4h3rsMSoOrdYlROXeNfitwrBOV4+9bGaSNEy2NvXcedDpWGmbV6Y2Jb59pSz/uIZsXeranLY3j8/+FeTTzZS0qYC688G5yL8ImqRqhWbwyNNhZ2i0tqsWaH8e7gBhDSzNFfpfKQgiKUjI= Received: by 10.38.101.70 with SMTP id y70mr620005rnb; Tue, 30 Nov 2004 11:01:02 -0800 (PST) Received: from ?82.79.29.15? ([82.79.29.15]) by smtp.gmail.com with ESMTP id 79sm1077rna; Tue, 30 Nov 2004 11:01:02 -0800 (PST) Message-ID: <41ACC3AE.4020309@gmail.com> Date: Tue, 30 Nov 2004 21:02:06 +0200 From: Claudiu Dragalia-Paraipan User-Agent: Mozilla Thunderbird 0.9 (X11/20041125) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Robert M References: <20041130175044.72091.qmail@web52210.mail.yahoo.com> In-Reply-To: <20041130175044.72091.qmail@web52210.mail.yahoo.com> X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigBA86253A7F57B70C811E1610" cc: freebsd-pf@freebsd.org Subject: Re: 3 gateways problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 19:01:10 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBA86253A7F57B70C811E1610 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, maybe this helps you. It is a part of the PF FAQ that you can find at http://www.openbsd.org/faq/pf/ ---------- http://cvs.openbsd.org/faq/pf/pools.html ... To ensure that packets with a source address belonging to $ext_if1 are always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the following two lines should be included in the ruleset: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \ to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \ to any Finally, NAT can also be used on each outgoing interface: nat on $ext_if1 from $lan_net to any -> ($ext_if1) nat on $ext_if2 from $lan_net to any -> ($ext_if2) ... ---------- Robert M wrote: > Hello, > > I have a problem with source routing via 3 gateways. > > All I need, is to be able to get in to my local > machine > via 'rdr' rule. > > All connections are routed via firewall box > with 4 ethernet cards. > > I don't want this done via 'binat' ruel as I only > want to rdr some ports. > > When telneting from external host to: > 83.16.196.130 port 22 -> I want to be redirected to > 192.168.1.1 port 22 > As well as: > 194.110.229.163 port 22 -> 192.168.1.1 22 > > This also can be done by adding a new eg. 192.168.1.2 > IP to my local machine, but it requires daemon binging > setting changes.. so I'd rather not. > > The problem is that 1/2 connections are estabilished > properly. > > I assume it's a problem with rule: > pass in quick on $ifInt route-to { ($ifDSL3 > $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! > $netLocal keep state > > where system doesn't know, which gateway should be > used > for return packet. > > Below is my pf.conf (sorry it's messy a little). > > OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Fri > Jul 16 16:17:52 UTC 2004 > root@fw:/usr/obj/usr/src/sys/TUNED i386 > > Thank you! > > Regards, > Robert > > ------- pf.conf ----- > # vars > ifInt="rl0" > ifDSL1="rl1" > ifDSL2="rl2" > ifDSL3="rl3" > > exLocal="192.168.0.3" > exDSL3="194.110.229.164" > robertLocal="192.168.0.4" > robertDSL3="194.110.229.165" > develDSL3="194.110.229.163" > fwDSL3="194.110.229.162" > > ## networds > netDSL1="83.16.196.120/29" # dsl1 > gwDSL1="83.16.196.121" # gw > > netDSL2="83.16.196.128/29" # dsl2 > gwDSL2="83.16.196.129" # gw > > netPSN="192.168.0.0/24" # Private Service > Network ( > > netDMZ="192.168.1.0/24" # Demilitarized Zone > (hostDevel) > hostDevel="192.168.1.1" # devel > netLocal="192.168.0.0/16" # psn+dmz > > netDSL3="194.110.229.160/27" # DSL3 > gwDSL3="194.110.229.161" # gw > > ## altq > altq on $ifDSL1 priq bandwidth 250Kb queue { q1pri, > q1ssh, q1def } > queue q1pri priority 7 > queue q1ssh priority 5 > queue q1def priority 1 priq(default) > > altq on $ifDSL2 priq bandwidth 250Kb queue { q2pri, > q2ssh, q2def } > queue q2pri priority 7 > queue q2ssh priority 5 > queue q2def priority 1 priq(default) > altq on $ifDSL3 priq bandwidth 2000Kb queue { q3pri, > q3ssh, q3def } > queue q3pri priority 7 > queue q3ssh priority 5 > queue q3def priority 1 priq(default) > > > ## nat 1:n (output) > nat on $ifDSL1 from $netLocal to ! $netLocal -> > 83.16.196.122 # dsl1 > nat on $ifDSL2 from $hostDevel to ! $netLocal -> > 83.16.196.130 # dsl2 > nat on $ifDSL2 from $netLocal to ! $netLocal -> > 83.16.196.130 > nat on $ifDSL3 from $netLocal to ! $netLocal -> > 194.110.229.162 # DSL3 > nat on $ifDSL3 from 192.168.1.1 to ! $netLocal -> > $develDSL3 # devel(DSL3) > > ## nat 1:1 (input) > # devel > rdr on $ifDSL1 proto tcp from any to > 83.16.196.123 port { 21, 22, 25, 80, 110, 443, 465, > 993, 995, 19000:19500 } -> 192. > 168.1.1 > rdr on $ifDSL2 proto tcp from any to > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 465, > 993, 995, 19000:19500 } -> 192. > 168.1.1 > rdr on $ifDSL3 proto tcp from any to > 194.110.229.163 port { 21, 22, 25, 80, 110, 443, 465, > 993, 995, 19000:19500 } -> 19 > 2.168.1.1 > > rdr on $ifDSL2 proto tcp from any to > 83.16.196.131 port { 25 } -> 192.168.1.1 port 2030 > rdr on $ifInt proto tcp from $netLocal to > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 137, > 138, 139, 465, 993, 995, 2401 } > -> 192.168.1.1 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 443 } -> 192.168.0.3 port 22 > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > port { 6100, 6101, 6102 } -> 192.168.0.3 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5900 } -> 192.168.0.4 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5901 } -> 192.168.0.6 port 5900 > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > port { 5901 } -> 192.168.0.6 port 5900 > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5801 } -> 192.168.0.6 > rdr on $ifDSL1 proto udp from any to 83.16.196.122 > port { 5801 } -> 192.168.0.6 > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5903 } -> 192.168.0.24 port 3389 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 3389 } -> 192.168.0.24 > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 3390 } -> 192.168.0.5 port 3389 > rdr on $ifDSL1 proto tcp from 80.55.58.238 to > 83.16.196.122 port { 6000 } -> 192.168.0.9 port 6000 > rdr on $ifDSL1 proto udp from 80.55.58.238 to > 83.16.196.122 port { 177 } -> 192.168.0.9 port 177 > rdr on $ifDSL1 proto tcp from 80.55.58.238 to > 83.16.196.122 port { 22 } -> 192.168.0.9 port 22 > rdr on $ifDSL2 proto tcp from any to 83.16.196.132 > port { 25 } -> 192.168.1.1 port 27 > > ## binat > binat on $ifDSL3 from $exLocal to ! $netLocal -> > $exDSL3 > binat on $ifDSL3 from $robertLocal to ! $netLocal -> > $robertDSL3 > > # source routing > pass in quick on $ifInt route-to { ($ifDSL3 > $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! > $netLocal keep state > pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) } > from any to 136.159.158.52 keep state # -> myweb via > dsl2 > pass in quick on $ifInt route-to { ($ifDSL3 $gwDSL3) } > from { 192.168.0.3 , 192.168.0.4 } to ! $netLocal keep > state # -> DSL3 > pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) } > from $netPSN to ! $netLocal keep state # -> dsl1 > pass in quick on $ifInt route-to { ($ifDSL2 $gwDSL2) } > from $netDMZ to ! $netLocal keep state # -> dsl2 > > # queues > # DSL1 > pass out on $ifDSL1 proto tcp from any to any port 22 > flags S/SA \ > keep state queue (q1ssh, q1pri) > pass out on $ifDSL1 proto tcp from $ifDSL1 to any > flags S/SA \ > keep state queue (q1def, q1pri) > pass in on $ifDSL1 proto tcp from any to $ifDSL1 > flags S/SA \ > keep state queue (q1def, q1pri) > > #DSL 2 > pass out on $ifDSL2 proto tcp from any to any port 22 > flags S/SA \ > keep state queue (q2ssh, q2pri) > pass out on $ifDSL2 proto tcp from $ifDSL2 to any > flags S/SA \ > keep state queue (q2def, q2pri) > pass in on $ifDSL2 proto tcp from any to $ifDSL2 > flags S/SA \ > keep state queue (q2def, q2pri) > > > #DSL3 > pass out on $ifDSL3 proto tcp from any to any port 22 > flags S/SA \ > keep state queue (q3ssh, q3pri) > pass out on $ifDSL3 proto tcp from $ifDSL3 to any > flags S/SA \ > keep state queue (q3def, q3pri) > pass in on $ifDSL3 proto tcp from any to $ifDSL3 > flags S/SA \ > keep state queue (q3def, q3pri) > --- end of pf.conf ---- > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - You care about security. So do we. > http://promotions.yahoo.com/new_mail > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Claudiu Dragalina-Paraipan dr.clau@gmail.com --------------enigBA86253A7F57B70C811E1610 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrMOzm0FWxb+swkQRAhy5AJ4uIErr55NGLI9hNHf1E66NeIMNlACePJry 86vU+o9lKWlBeKWXyggjF/I= =HOTx -----END PGP SIGNATURE----- --------------enigBA86253A7F57B70C811E1610--