Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Feb 2011 19:54:09 -0500
From:      Maxim Khitrov <max@mxcrypt.com>
To:        Da Rock <freebsd-questions@herveybayaustralia.com.au>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: pf, binat, rdr, and one ip
Message-ID:  <AANLkTimJrdwga8qC=v7AK0_Z5yFf6bhM9HDDb+mgn-iD@mail.gmail.com>
In-Reply-To: <4D5333E4.7070800@herveybayaustralia.com.au>
References:  <4D515148.3000009@herveybayaustralia.com.au> <20110208151849.GC3267@catflap.slightlystrange.org> <4D51CD05.8040003@herveybayaustralia.com.au> <20110209111646.GD3267@catflap.slightlystrange.org> <4D527BAC.3080805@herveybayaustralia.com.au> <AANLkTinPzyx+fwzOJpwn634jScsQ7SbRada4A9=5oVNs@mail.gmail.com> <4D5333E4.7070800@herveybayaustralia.com.au>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Feb 9, 2011 at 7:40 PM, Da Rock
<freebsd-questions@herveybayaustralia.com.au> wrote:
> On 02/09/11 22:38, Maxim Khitrov wrote:
>>
>> On Wed, Feb 9, 2011 at 6:34 AM, Da Rock
>> <freebsd-questions@herveybayaustralia.com.au> =C2=A0wrote:
>>
>>>
>>> On 02/09/11 21:16, Daniel Bye wrote:
>>>
>>>>
>>>> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote:
>>>>
>>>>
>>>>>
>>>>> On 02/09/11 01:18, Daniel Bye wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> A very quick question.
>>>>>>>
>>>>>>> PF firewall. One static public IP. About 6 servers on the internal
>>>>>>> network (dmz). One server binat in the pf.conf, the rest redirected=
.
>>>>>>>
>>>>>>> Possible? Or would it die in the hole?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> I guess you're concerned about performance and resource usage? If so=
,
>>>>>> this
>>>>>> may be helpful.
>>>>>>
>>>>>> http://www.openbsd.org/faq/pf/perf.html
>>>>>>
>>>>>> Dan
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Useful info to have, thanks. But no, I'm interested in if the binatti=
ng
>>>>> will interfere with the rdr's (or vice versa).
>>>>>
>>>>>
>>>>
>>>> Ah, I see. I don't know, is the straight answer - I've never needed to
>>>> use
>>>> both together. A bit of idle googling seems to suggest it's possible,
>>>> but
>>>> I don't have time right now to dig any deeper.
>>>>
>>>>
>>>
>>> Thats exactly what I got too. Nothing definitive to go on. Apparently n=
ot
>>> a
>>> very common arrangement. It *seems* to be working, but there are some
>>> weird
>>> quirks I can't quite account for. Hence the question to the guys who'd
>>> know... :)
>>>
>>
>> According to pf.conf(5):
>>
>> =C2=A0 =C2=A0 =C2=A0Evaluation order of the translation rules is depende=
nt on the type of
>> the
>> =C2=A0 =C2=A0 =C2=A0translation rules and of the direction of a packet. =
=C2=A0binat rules are
>> =C2=A0 =C2=A0 =C2=A0always evaluated first. =C2=A0Then either the rdr ru=
les are evaluated on
>> an
>> =C2=A0 =C2=A0 =C2=A0inbound packet or the nat rules on an outbound packe=
t. =C2=A0Rules of the
>> same
>> =C2=A0 =C2=A0 =C2=A0type are evaluated in the same order in which they a=
ppear in the
>> ruleset.
>> =C2=A0 =C2=A0 =C2=A0The first matching rule decides what action is taken=
.
>>
>> The way I interpret this is that when an outside client tries to
>> establish a connection to one of your servers, the rdr rules will
>> never be evaluated, since the only public IP is translated with binat.
>> Outgoing connections shouldn't have a problem, since binat will only
>> match one local IP address and the others can be translated with nat
>> rules.
>>
>
> Allow me to prefix my comments with the fact that that is not what appear=
s
> to be happening.
>
> I read that as well, but my reading between the lines was that it is the
> _rules_ that are evaluated. So if I have a block all policy and then open=
 up
> what I need, then only the _ports_ specified for that binat machine are
> passed- the rest continue for further evaluation: the rdr rules are then
> assessed and the packets are passed accordingly.
>
> What I see works mostly; I have a binat machine for voip (asterisk), and =
the
> rest of the jumble gets passed to the rdr's or get blocked. However, wher=
e I
> come unstuck (and this is why I recreated my firewall rules) is I still
> can't get outgoing calls to my voip provider. It still eludes me... So I'=
m
> not sure if I'm 100% right or not.
>
> Hence my dilemma... I did get outgoing calls to work somewhere when my
> firewall rules were still not quite working, but I couldn't ring in! I ha=
ve
> used an ata and tried to figure out what I'm missing, but I still haven't
> got it figured yet.
>
> But I digress. At the time when I started this thread I was having some o=
dd
> issues with my rdr servers, but now they appear to be working as they sho=
uld
> (after some blood sweat and tears), fingers crossed. So what I will do no=
w
> is finish this problem and get the voip working (which may or may not be =
a
> firewall problem), and then see whether it all works as beautifully as it
> should; then I will report back on this thread and let people know the
> outcome.
>

Are you using binat specifically for voip or is there some other
reason? I used to run a voip appliance behind m0n0wall (FreeBSD 6)
using regular nat and port forwarding without any problems. I'm not
familiar with asterisk, but I assume there is a way to restrict the
port range that is used for incoming and outgoing connections. Binat
shouldn't be needed for this if that's your only reason for going that
route.

- Max



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AANLkTimJrdwga8qC=v7AK0_Z5yFf6bhM9HDDb+mgn-iD>