Date: Thu, 13 Nov 2008 10:58:23 -0500 From: FreeBSD <freebsd@optiksecurite.com> To: vadim_nuclight@mail.ru Cc: freebsd-pf@freebsd.org Subject: Re: RDR not triggered Message-ID: <491C4E9F.90903@optiksecurite.com> In-Reply-To: <slrngho54e.21b5.vadim_nuclight@server.filona.x88.info> References: <491B5715.8040601@optiksecurite.com> <slrngho54e.21b5.vadim_nuclight@server.filona.x88.info>
next in thread | previous in thread | raw e-mail | index | archive | help
Vadim Goncharov a écrit : > Hi FreeBSD! > > On Wed, 12 Nov 2008 17:22:13 -0500; FreeBSD wrote about 'RDR not triggered': > >> Quick explanation of my setup: > >> We have 2 webservers, a frontend and a backend. The frontend have a jail >> for Lighttpd (images server) and Apache on the base system (for PHP). >> There is one public IP associated to the jail on the public side of the >> frontend server. There is only one internal private IP. The jail is >> bound to 127.0.0.25 and a RDR on the external interface is redirecting >> the traffic in the jail when the request arrive with it's public IP as >> destination. > >> rdr on $EXT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD >> port http > >> That's working great for external connections. > >> The problem is that the backend server needs to access the Lighttpd jail >> by the public IP of the frontend server. I understand that I can't >> redirect the traffic inside the jail with a RDR on the external >> interface because the packets didn't passthrough the interface. That's >> why I created I copy of the above RDR but on the internal interface. > >> rdr on $INT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD >> port http > >> That rule is never triggered even when the traffic, according to >> tcpdump, is corresponding to the criteria. At the moment, the RDR for >> the internal interface is just before the external one. > >> The pfctl -gvvvsn output for these 2 rules: > >> @0 rdr on bge1 inet proto tcp from any to 66.AAA.BB.66 port = http -> >> 127.0.0.25 port 80 >> [ Skip steps: d=end f=9 p=9 sa=end sp=12 da=2 dp=2 ] >> [ queue: qname= qid=0 pqname= pqid=0 ] >> [ Evaluations: 91246 Packets: 0 Bytes: 0 >> States: 0 ] >> @1 rdr on bge0 inet proto tcp from any to 66.AAA.BB.66 port = http -> >> 127.0.0.25 port 80 >> [ Skip steps: i=9 d=end f=9 p=9 sa=end sp=12 ] >> [ queue: qname= qid=0 pqname= pqid=0 ] >> [ Evaluations: 91246 Packets: 3261224 Bytes: 2403004153 >> States: 2531 ] > [...] >> Nothing is blocked on both of the servers. The packets are simply not >> redirected and passed to the Apache on the base system of the frontend >> server instead of going in the Lighttpd jail, only when coming the the >> internal network. >> I'm using FreeBSD 6.2 on the frontend and 7.0 on the backend. > > It is possible that you have "set skip on $INT_IF" - in that case oll that > interface rules will not work. Or another reason, need to see complete pf > ruleset. Or try "rdr pass ..." > D'OH!!! You're right, there was a set skip on $INT_IF... I wasted all mey afternoon trying to debug that. Thanks a lot for your reply. You just made my day :) Martin > I've asked some people, they tried similar (but not exact!) setup on 6.1/7.0, > it worked. So it may be a bug in your version of pf, if not ruleset. > > The last possible reason - architectural flaw of pf, which binds IPs for states > to interfaces, in that case you will need to do ipfw fwd (can use both ipfw and > pf simultaneously). >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491C4E9F.90903>