From owner-freebsd-questions@FreeBSD.ORG Thu Feb 10 00:42:49 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E2821065672 for ; Thu, 10 Feb 2011 00:42:49 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 962D58FC12 for ; Thu, 10 Feb 2011 00:42:48 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.186]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 42CE85C44; Thu, 10 Feb 2011 10:49:55 +1000 (EST) Message-ID: <4D5333E4.7070800@herveybayaustralia.com.au> Date: Thu, 10 Feb 2011 10:40:04 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20110204 Thunderbird/3.0.11 ThunderBrowse/3.3.4 MIME-Version: 1.0 To: Maxim Khitrov References: <4D515148.3000009@herveybayaustralia.com.au> <20110208151849.GC3267@catflap.slightlystrange.org> <4D51CD05.8040003@herveybayaustralia.com.au> <20110209111646.GD3267@catflap.slightlystrange.org> <4D527BAC.3080805@herveybayaustralia.com.au> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: pf, binat, rdr, and one ip X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 00:42:49 -0000 On 02/09/11 22:38, Maxim Khitrov wrote: > On Wed, Feb 9, 2011 at 6:34 AM, Da Rock > wrote: > >> On 02/09/11 21:16, Daniel Bye wrote: >> >>> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote: >>> >>> >>>> On 02/09/11 01:18, Daniel Bye wrote: >>>> >>>> >>>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote: >>>>> >>>>> >>>>> >>>>>> A very quick question. >>>>>> >>>>>> PF firewall. One static public IP. About 6 servers on the internal >>>>>> network (dmz). One server binat in the pf.conf, the rest redirected. >>>>>> >>>>>> Possible? Or would it die in the hole? >>>>>> >>>>>> >>>>>> >>>>> I guess you're concerned about performance and resource usage? If so, >>>>> this >>>>> may be helpful. >>>>> >>>>> http://www.openbsd.org/faq/pf/perf.html >>>>> >>>>> Dan >>>>> >>>>> >>>>> >>>> Useful info to have, thanks. But no, I'm interested in if the binatting >>>> will interfere with the rdr's (or vice versa). >>>> >>>> >>> Ah, I see. I don't know, is the straight answer - I've never needed to use >>> both together. A bit of idle googling seems to suggest it's possible, but >>> I don't have time right now to dig any deeper. >>> >>> >> Thats exactly what I got too. Nothing definitive to go on. Apparently not a >> very common arrangement. It *seems* to be working, but there are some weird >> quirks I can't quite account for. Hence the question to the guys who'd >> know... :) >> > According to pf.conf(5): > > Evaluation order of the translation rules is dependent on the type of the > translation rules and of the direction of a packet. binat rules are > always evaluated first. Then either the rdr rules are evaluated on an > inbound packet or the nat rules on an outbound packet. Rules of the same > type are evaluated in the same order in which they appear in the ruleset. > The first matching rule decides what action is taken. > > The way I interpret this is that when an outside client tries to > establish a connection to one of your servers, the rdr rules will > never be evaluated, since the only public IP is translated with binat. > Outgoing connections shouldn't have a problem, since binat will only > match one local IP address and the others can be translated with nat > rules. > Allow me to prefix my comments with the fact that that is not what appears to be happening. I read that as well, but my reading between the lines was that it is the _rules_ that are evaluated. So if I have a block all policy and then open up what I need, then only the _ports_ specified for that binat machine are passed- the rest continue for further evaluation: the rdr rules are then assessed and the packets are passed accordingly. What I see works mostly; I have a binat machine for voip (asterisk), and the rest of the jumble gets passed to the rdr's or get blocked. However, where I come unstuck (and this is why I recreated my firewall rules) is I still can't get outgoing calls to my voip provider. It still eludes me... So I'm not sure if I'm 100% right or not. Hence my dilemma... I did get outgoing calls to work somewhere when my firewall rules were still not quite working, but I couldn't ring in! I have used an ata and tried to figure out what I'm missing, but I still haven't got it figured yet. But I digress. At the time when I started this thread I was having some odd issues with my rdr servers, but now they appear to be working as they should (after some blood sweat and tears), fingers crossed. So what I will do now is finish this problem and get the voip working (which may or may not be a firewall problem), and then see whether it all works as beautifully as it should; then I will report back on this thread and let people know the outcome.