Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Jul 2009 15:35:15 +0200
From:      Kim Attree <kim.attree@playsafesa.com>
To:        Giuliano Gavazzi <dev+lists@humph.com>
Cc:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject:   RE: Problem with source based policy routing
Message-ID:  <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com>
In-Reply-To: <E5834FA3-2CC4-4192-9A26-0C4914B782A2@humph.com>
References:  <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> <E5834FA3-2CC4-4192-9A26-0C4914B782A2@humph.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> -----Original Message-----
> From: Giuliano Gavazzi [mailto:dev+lists@humph.com]
> Sent: 06 July 2009 03:13 PM
> To: Kim Attree
> Cc: freebsd-ipfw@freebsd.org
> Subject: Re: Problem with source based policy routing
>=20
>=20
> On M 6 Jul, 2009, at 10:36 , Kim Attree wrote:
>=20
> >
> > Hey Guys,
> >
> >
> >
> > I'm having a problem with source-based policy routing in IPFW, I'm
> > trying to run a load-balanced SMTP System over two links.
> >
> > Primary link is re0, lets give it an ip of 192.168.1.1
> > Secondary link is re1, with an ip of 192.168.2.1
> >
> > Default gateway for the box is 192.168.1.254 (so ALL outgoing
> > traffic goes out of re0, unless hardcoded into the routing table for
> > destinations instead)
> > Default gateway for re1 is 192.168.2.254
> >
> > I want re1 to be able to accept SMTP, but respond to the originating
> > IP over the same link re1 (instead of the default gateway).
> > With this in mind, I setup my NAT accordingly:
> >
> > <snip>
> > port 8669
> > alias_address 192.168.2.1
> > same_ports yes
> > use_sockets yes
> > log_ipfw_denied yes
> > redirect_port tcp 10.0.0.1:25 192.168.2.1:25
> > </snip>
> >
> > And the IPFW rules such:
> >
> > <snip>
> > # NATD Statements
> > add 00097 divert 8668 all from any to any via re0
> > add 00097 divert 8669 all from any to any via re1
> >
>=20
> why NAT? Unless you also want to spread outgoing traffic from internal
> hosts, presumably based on dest port or network, then NAT is of no use
> (except the one via re0 that is presumably used for internal hosts).
> Incoming packets don't need any rules as the gw 192.168.2.254 knows
> how to reach your host, you only need to fwd (that is to route) your
> outgoing packets according to the source. I have a similar setup (with
> also 2 NATs because I do use both gateways also for natted hosts).

I have one Internal Exchange server (don't laugh), and NAT handles the stat=
ic mapping of IP/Port to that server. The original point here is to have tw=
o mapped NAT port 25's to the same internal Mail server, hence the addition=
 of the NAT before and during the forward logic (obviously wrong though).
=20
> The fwd rule would be very early, just after the loopback rules,
> UNLESS you want to block outgoing traffic on some ports:
>=20
> add 50 fwd 192.168.2.254 src-ip 192.168.2.1 not dst-ip 192.168.2.1/24
>=20
> That should do it.

Because the incoming traffic traverses NAT, this wont work:

192.168.2.254 --> 192.168.2.1(NAT:25) --> 10.0.0.1:25 --> 192.168.2.1(NAT) =
--> 192.168.2.254 --> World

The forward ends firewall rule processing, meaning the traffic can not carr=
y on outbound by my logic.

> NOTE: if you also do NAT on that port (re1), then you need this also
> after the corresponding nat rule.
> But I urge you to distinguish between necessarily natted traffic (that
> is traffic coming from internal hosts) and traffic coming from the
> host itself, by using an alias on the same subnet (say 192.168.2.2)
> for the natted traffic. This way you avoid natting traffic that does
> not need it, and can easily distinguish between incoming traffic for
> your host (192.168.2.1) and for natted hosts (192.168.2.2).
>=20
>=20
> Giuliano

Thanks for your assistance, any further help would be greatly appreciated !=
!!

Kim



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?00265389C30B444288C246DF37651D0C37698F3933>