Date: Thu, 18 Jan 2007 23:49:53 -0500 From: Tom Uffner <tom@uffner.com> To: freebsd-pf@freebsd.org Subject: carp & spamd problems when using if_bridge + nat Message-ID: <45B04DF1.40800@uffner.com>
next in thread | raw e-mail | index | archive | help
I am trying to build a redundant firewall with a NATed interface
and a bridged DMZ interface. Toward this end i have a pair of machines
w/ four network interfaces each (bge0, bge1, em0, em1).
my first thought was to bridge two of these, assign the outside IP to
bridge0, then use the 3rd & 4th for my inside & pfsync interfaces, with
carp0 sharing an ip between the bridge interfaces & carp1 sharing an ip
on the inside interfaces. eg:
box #0
cloned_interfaces="bridge0 carp0 carp1"
ifconfig_bge0="up polling"
ifconfig_em0="up polling"
ifconfig_bridge0="addm bge0 addm em0 inet 207.245.109.6 netmask
255.255.255.0 up"
ifconfig_bge1="inet 10.10.1.6 netmask 255.255.0.0 up"
ifconfig_em1="inet 192.168.254.6 netmask 255.255.255.0"
ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24"
ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16"
pfsync_enable="YES"
pfsync_syncdev="em1"
box #1
cloned_interfaces="bridge0 carp0 carp1"
ifconfig_bge0="up polling"
ifconfig_em0="up polling"
ifconfig_bridge0="addm bge0 addm em0 inet 207.245.109.7 netmask
255.255.255.0 up"
ifconfig_bge1="inet 10.10.1.7 netmask 255.255.0.0 up"
ifconfig_em1="inet 192.168.254.7 netmask 255.255.255.0"
ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24"
ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16"
pfsync_enable="YES"
pfsync_syncdev="em1"
this didn't work because i couldn't get the carp0 interface to run.
i am now using:
box #0
cloned_interfaces="bridge0 carp0 carp1"
ifconfig_bge0="inet 207.245.109.6 netmask 255.255.255.0 up polling"
ifconfig_bge1="inet 10.10.1.6 netmask 255.255.0.0 up"
ifconfig_em0="up polling"
ifconfig_em1="inet 192.168.254.6 netmask 255.255.255.0"
ifconfig_bridge0="addm bge0 addm em0 up"
ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24"
ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16"
pfsync_enable="YES"
pfsync_syncdev="em1"
box #1
cloned_interfaces="bridge0 carp0 carp1"
ifconfig_bge0="inet 207.245.109.7 netmask 255.255.255.0 up polling"
ifconfig_bge1="inet 10.10.1.7 netmask 255.255.0.0 up"
ifconfig_em0="up polling"
ifconfig_em1="inet 192.168.254.7 netmask 255.255.255.0"
ifconfig_bridge0="addm bge0 addm em0 up"
ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24"
ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16"
pfsync_enable="YES"
pfsync_syncdev="em1"
i am directing traffic from the external router to the firewall with
proxy arp. this configuration at least comes up and sort of works, but
hosts on the DMZ network (em0) cannot connect to hosts on the inside
network (bge1) and vice versa though they can ping each other.
what am i doing wrong w/ this network topology?
here is my pf.conf:
# Macros: define common values, so they can be referenced and changed
easily.
ext_if="bge0"
dmz_if="em0"
int_if="bge1"
pfs_if="em1"
nat_ip="carp0"
vandal_ports="{ 20 21 22 25 53 80 110 143 443 465 587 993 995 2082 2083
2086 \
2087 2095 2096 3306 6666 }"
vandal_ports_udp="{ 53 123 }"
# Tables: similar to macros, but more flexible for many addresses.
table <binat-hosts> const { 10.10.1.8 10.10.1.9 10.10.1.11 10.10.1.12
10.10.1.15 10.10.1.23 }
table <vandal-ip> const { 207.245.109.5 207.245.109.128/25
!207.245.109.128 }
table <http-serv> const { 10.10/16 !10.10.8.6 !10.10.8.5 }
table <https-serv> const { 10.10/16 }
table <mail-hosts-int> const { 10.10.1.12 }
table <mail-hosts-ext> const { 207.245.109.12 }
table <mail-hosts-no-grey> const { 207.245.109.15 }
#pass contains ext & no-grey & vandal
table <mail-hosts-pass> { 207.245.109.12 207.245.109.15 \
207.245.109.128/25 !207.245.109.128 }
table <spamd> persist
table <spamd-white> persist
# don't filter loopback or virtual interfaces
set skip on { carp0 carp1 }
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub in all
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address
$internal_net will
# get translated as coming from the address of $ext_if, a state is
created for
# such packets, and incoming packets will be redirected to the internal
address.
nat on $ext_if from $int_if:network to any -> $nat_ip
binat on $ext_if from 10.10.1.8 to any -> 207.245.109.8 # hbade.org
binat on $ext_if from 10.10.1.9 to any -> 207.245.109.9 #
delawarehomeshow.com
binat on $ext_if from 10.10.1.11 to any -> 207.245.109.11 # gutenberg
binat on $ext_if from 10.10.1.12 to any -> 207.245.109.12 # sedna
binat on $dmz_if from 10.10.1.12 to any -> 207.245.109.12 # sedna
# spamd-setup puts addresses to be redirected into table <spamd>.
rdr pass on $ext_if proto tcp from <spamd> to !<mail-hosts-ext> port
smtp -> 127.0.0.1 port 8025
rdr pass on $ext_if proto tcp from !<spamd-white> to !<mail-hosts-pass>
port smtp -> 127.0.0.1 port 8025
rdr pass on $ext_if proto tcp from any to <mail-hosts-no-grey> port smtp
-> $int_if port 25
# Filtering: the implicit first two rules are
#pass in all
#pass out all
# block all inbound traffic not matched by a rule below, don't log smb
packets
block in log on $ext_if all
block in on $ext_if proto udp from any port 137:139
# return ident instead of dropping to prevent email delay
block return in on $ext_if proto tcp to any port 113
# allow all loopback traffic
pass quick on lo0 all
pass quick on bridge0 all
# block packets claiming to be from an internal address
#antispoof for $ext_if
# allow CARP & pfsync
pass quick on { $pfs_if } proto pfsync keep state (no-sync)
pass on { $ext_if $dmz_if $int_if } proto carp keep state
# allow all traffic on inside interface unless blocked by a rule below
pass on { $dmz_if $int_if } all
# allow all outbound connections
pass out on $ext_if flags S/SA keep state
# allow ssh / scp to entire network
pass in on $ext_if proto tcp to port ssh flags S/SA keep state
# allow ping & traceroute
pass in inet proto icmp
# allow dns queries, etc.
pass in on $ext_if proto {tcp udp} from any to carp0 port domain flags
S/SA keep state
pass in log on $ext_if proto {tcp udp} from any to carp1 port domain
flags S/SA keep state
# allow outside traffic to vandal
pass on $ext_if proto tcp to <vandal-ip> port $vandal_ports flags S/SA
keep state
pass on $ext_if proto udp to <vandal-ip> port $vandal_ports_udp keep state
# will need to modify all vandal rules because traffic will transit
# DMZ not EXT interface
# allow passive mode ftp via ftpsesame on vandal
anchor "ftpsesame/*" in on $ext_if proto tcp from any to <vandal-ip>
# allow vandal & office ntp
pass log on $ext_if proto udp from {207.245.109.5 207.245.121.208/28} \
to {10.10.1.11 10.10.1.12 207.245.109.14} port ntp keep state
# allow email connections
pass in on $ext_if proto tcp from any \
to { <mail-hosts-int> carp0 } port smtp flags S/SA keep state
pass in on $ext_if proto tcp from any \
to { <mail-hosts-int> } port {submission imap imaps pop3 pop3s}
flags S/SA keep state
# allow http / https to some sites
pass in on $ext_if proto tcp from any to <http-serv> port http flags
S/SA keep state
pass in on $ext_if proto tcp from any to <https-serv> port https flags
S/SA keep state
# secure ldap queries
pass in on $ext_if proto tcp from { 207.245.121.208/28 68.82.150.14 } \
to carp0 port ldaps flags S/SA keep state
# bacula & amanda
pass in on $ext_if proto tcp from 207.245.109.5 to 10.10.1.11 port
9101:9103 keep state
pass in on $ext_if proto udp from 207.245.109.0/24 to 10.10.1.12 port
10080 keep state
pass in on $ext_if proto udp from 207.245.109.5 port 10080 to 10.10.1.12
keep state
# hbade rules
pass in on $ext_if proto tcp from any to 10.10.1.8 port 3306 flags S/SA
keep state
--
it is definitely not optimal but i will worry about that after it works.
the addresses 207.245.109.5 & 207.245.109.129-254 are on the DMZ, the
rest of 207.245.109/24 is NATed to 10.10.1.x if it is in use.
another problem i have is with pf's spamd: for some reason addresses on
the DMZ network don't seem to get redirected to 127.0.0.1:8025, but the
ones on the inside/NAT network do. this doesn't make sense to me because
the rdr is on the outside interface (bge0) where there is no difference
between the two sets of addresses. what is going on here?
thanks,
Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45B04DF1.40800>