Date: Thu, 10 Feb 2011 10:40:04 +1000 From: Da Rock <freebsd-questions@herveybayaustralia.com.au> To: Maxim Khitrov <max@mxcrypt.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf, binat, rdr, and one ip Message-ID: <4D5333E4.7070800@herveybayaustralia.com.au> In-Reply-To: <AANLkTinPzyx%2BfwzOJpwn634jScsQ7SbRada4A9=5oVNs@mail.gmail.com> References: <4D515148.3000009@herveybayaustralia.com.au> <20110208151849.GC3267@catflap.slightlystrange.org> <4D51CD05.8040003@herveybayaustralia.com.au> <20110209111646.GD3267@catflap.slightlystrange.org> <4D527BAC.3080805@herveybayaustralia.com.au> <AANLkTinPzyx%2BfwzOJpwn634jScsQ7SbRada4A9=5oVNs@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/09/11 22:38, Maxim Khitrov wrote: > On Wed, Feb 9, 2011 at 6:34 AM, Da Rock > <freebsd-questions@herveybayaustralia.com.au> wrote: > >> On 02/09/11 21:16, Daniel Bye wrote: >> >>> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote: >>> >>> >>>> On 02/09/11 01:18, Daniel Bye wrote: >>>> >>>> >>>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote: >>>>> >>>>> >>>>> >>>>>> A very quick question. >>>>>> >>>>>> PF firewall. One static public IP. About 6 servers on the internal >>>>>> network (dmz). One server binat in the pf.conf, the rest redirected. >>>>>> >>>>>> Possible? Or would it die in the hole? >>>>>> >>>>>> >>>>>> >>>>> I guess you're concerned about performance and resource usage? If so, >>>>> this >>>>> may be helpful. >>>>> >>>>> http://www.openbsd.org/faq/pf/perf.html >>>>> >>>>> Dan >>>>> >>>>> >>>>> >>>> Useful info to have, thanks. But no, I'm interested in if the binatting >>>> will interfere with the rdr's (or vice versa). >>>> >>>> >>> Ah, I see. I don't know, is the straight answer - I've never needed to use >>> both together. A bit of idle googling seems to suggest it's possible, but >>> I don't have time right now to dig any deeper. >>> >>> >> Thats exactly what I got too. Nothing definitive to go on. Apparently not a >> very common arrangement. It *seems* to be working, but there are some weird >> quirks I can't quite account for. Hence the question to the guys who'd >> know... :) >> > According to pf.conf(5): > > Evaluation order of the translation rules is dependent on the type of the > translation rules and of the direction of a packet. binat rules are > always evaluated first. Then either the rdr rules are evaluated on an > inbound packet or the nat rules on an outbound packet. Rules of the same > type are evaluated in the same order in which they appear in the ruleset. > The first matching rule decides what action is taken. > > The way I interpret this is that when an outside client tries to > establish a connection to one of your servers, the rdr rules will > never be evaluated, since the only public IP is translated with binat. > Outgoing connections shouldn't have a problem, since binat will only > match one local IP address and the others can be translated with nat > rules. > Allow me to prefix my comments with the fact that that is not what appears to be happening. I read that as well, but my reading between the lines was that it is the _rules_ that are evaluated. So if I have a block all policy and then open up what I need, then only the _ports_ specified for that binat machine are passed- the rest continue for further evaluation: the rdr rules are then assessed and the packets are passed accordingly. What I see works mostly; I have a binat machine for voip (asterisk), and the rest of the jumble gets passed to the rdr's or get blocked. However, where I come unstuck (and this is why I recreated my firewall rules) is I still can't get outgoing calls to my voip provider. It still eludes me... So I'm not sure if I'm 100% right or not. Hence my dilemma... I did get outgoing calls to work somewhere when my firewall rules were still not quite working, but I couldn't ring in! I have used an ata and tried to figure out what I'm missing, but I still haven't got it figured yet. But I digress. At the time when I started this thread I was having some odd issues with my rdr servers, but now they appear to be working as they should (after some blood sweat and tears), fingers crossed. So what I will do now is finish this problem and get the voip working (which may or may not be a firewall problem), and then see whether it all works as beautifully as it should; then I will report back on this thread and let people know the outcome.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D5333E4.7070800>