From owner-freebsd-current@FreeBSD.ORG Wed Jun 8 21:20:24 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7020C16A41C for ; Wed, 8 Jun 2005 21:20:24 +0000 (GMT) (envelope-from fcases@teliax.com) Received: from www.teliax.com (sta-208-139-204-229.rockynet.com [208.139.204.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEC8943D58 for ; Wed, 8 Jun 2005 21:20:23 +0000 (GMT) (envelope-from fcases@teliax.com) Received: from localhost.teliax.com ([::1] helo=www.teliax.com) by www.teliax.com with esmtp (Exim 4.50 (FreeBSD)) id 1Dg7yc-0005cD-AO for freebsd-current@freebsd.org; Wed, 08 Jun 2005 15:20:43 -0600 Received: from 65.92.226.236 (SquirrelMail authenticated user fcases) by www.teliax.com with HTTP; Wed, 8 Jun 2005 21:20:42 -0000 (UTC) Message-ID: <4262.65.92.226.236.1118265642.squirrel@www.teliax.com> Date: Wed, 8 Jun 2005 21:20:42 -0000 (UTC) From: "Frank Cases" To: freebsd-current@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Score: -2.8 (--) X-Spam-Report: Spam detection software, running on the system "www.teliax.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: my setup is at http://pastebin.ca/13602 the pf has changed alot since that post.. but mainly my problem is a pf configuration issue.. [...] Content analysis details: (-2.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.8 ALL_TRUSTED Did not pass through any untrusted hosts Subject: pf and carp X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fcases@teliax.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2005 21:20:24 -0000 my setup is at http://pastebin.ca/13602 the pf has changed alot since that post.. but mainly my problem is a pf configuration issue.. 020096 rule 6/0(match): pass in on xl0: IP 172.16.0.101.14906 > 192.168.1.22.47468: UDP, length: 172 019964 rule 6/0(match): pass in on xl0: IP 172.16.0.101.14906 > first 192.168.x is the client internal ip from far far away... why is it here ?i dont know also .. on client side i see those as beging 172.16.0.101 so i need to rewrite my internal to exeternal.. problem is it doesnt work.. Any help appreciated... my pf.conf # Variable definitions. # ext_if = "xl2" int_if = "xl0" loop = "lo0" pfsync_if="xl1" ext_ifs = "{ xl2, carp0, carp1 }" int_ifs = "{ xl0, carp2, carp3 }" ext_carps= "{ carp0 ,carp1 }" ext_ip = "204.18.109.140" int_ip = "172.16.0.200" server ="{ 172.16.0.101 ,172.16.0.100}" int_net ="172.16.0.1/24" voip_tcp = "5060" voip_udp = "{5060, 4569, 5036, 9999 >< 20001, 2727}" table { 172.16.0.100, 172.16.0.101 } #TCP_OPTIONS = "flags S/SAFRUP keep state" TCP_OPTIONS = " keep state" reserved = " { 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3, 255.255.255.255 } " scrub in on $ext_if all #### # Nat rules # #internal out rewriting ? #perform NAT on the xl2 interface for any packets coming from 172.16.0.0/24 and to replace the source IP address with 204.18.109.140 nat on $ext_ifs from $int_if/24 to any -> $ext_ip nat on $int_if proto tcp from $int_net to $server -> $int_ip nat on $int_if proto udp from $int_net to $server -> $int_ip ###nat pass on $int_ifs from $int_net to any -> $ext_ip #no nat on $ext_if from 204.18.109.140 to any ### PLAYING binat on $ext_ifs from 172.16.0.101 to any -> 204.18.109.140 binat on $ext_ifs from 172.16.0.100 to any -> 204.18.109.140 #### END PALYING #rewrite to loadbalance #rdr on $ext_carps inet proto tcp from any to $ext_ip port 4569 -> 172.16.0.101 port 4569 #rdr on $ext_carps inet proto tcp from any to $ext_ip port 5060 -> 172.16.0.101 port 5060 #rdr on $ext_carps inet proto udp from any to $ext_ip port 5060 -> 172.16.0.101 port 5060 #rdr pass on $ext_if proto tcp from any to any port 80 -> $server port 80 rdr pass on $ext_ifs proto tcp from any to any port 80 -> $server port 80 rdr pass on $ext_ifs proto tcp from any to any port 4569 -> $server port 4569 rdr pass on $ext_ifs proto tcp from any to any port 5060 -> $server port 5060 rdr pass on $ext_ifs proto udp from any to any port 4569 -> $server port 4569 rdr pass on $ext_ifs proto udp from any to any port 5060 -> $server port 5060 rdr pass on $ext_ifs proto udp from any to any port 9999:20001 -> $server rdr pass on $ext_ifs proto udp from any to any port 2727 -> $server port 2727 rdr pass on $ext_ifs proto tcp from any to any port $voip_tcp -> $server port $voip_tcp rdr pass on $ext_ifs proto udp from any to any -> $server ### #RULES # block out log-all on $ext_if all block in log-all on $ext_if all #carp rules pass out log-all on $ext_carps proto carp keep state #pfsunc rules pass on $pfsync_if proto pfsync #local nic all pass Rule #1 pass in quick on lo0 all # log and allow all on int_if i should add quick pass log-all on $int_if all ###################################################### OUT ########################### #PASSOUT INTERNAL NET pass out quick log-all on $int_if inet proto tcp from $int_if to any keep state pass out quick log-all on $ext_ifs inet proto tcp from $ext_ifs to any keep state # Main pass out ------ BAILS OUT OF RULES #pass out log quick on $ext_if proto udp all keep state pass out log quick on $ext_ifs proto udp all keep state pass out log quick on $int_if proto udp all keep state #pass out log quick on $ext_if proto tcp all keep state pass out log quick on $ext_ifs proto tcp all keep state pass out log quick on $int_if proto tcp all keep state ###################################################### IN ########################### #DNS ------ BAILS OUT OF RULES pass in quick on $ext_if proto udp from any port = 53 to $ext_if port = 53 keep state pass in quick on $int_if proto udp from any port = 53 to $ext_if port = 53 keep state #WEB ------ BAILS OUT OF RULES pass in log-all quick on $ext_if inet proto carp from any to $ext_ifs $TCP_OPTIONS pass in log-all quick on $ext_if inet proto tcp from any to $ext_ifs port 80 $TCP_OPTIONS #asterisk 4569 5060------ BAILS OUT OF RULES pass in log-all on $ext_ifs inet proto tcp from any to any port $voip_tcp flags S/SA keep state pass out log-all on $ext_ifs inet proto tcp all flags S/SA keep state pass in log-all on $ext_ifs inet proto udp from any to any port $voip_udp keep state pass out log-all on $ext_ifs proto udp all keep state pass in log-all quick on $ext_ifs inet proto tcp from any to $ext_ifs port 5060 $TCP_OPTIONS pass in log-all quick on $ext_ifs inet proto udp from any to $ext_ifs port 5060 $TCP_OPTIONS pass in log-all quick on $ext_ifs inet proto tcp from any to $ext_ifs port 4569 $TCP_OPTIONS pass in log-all quick on $ext_ifs inet proto udp from any to $ext_ifs port 4569 $TCP_OPTIONS pass in log-all on $ext_ifs inet proto udp from any to any port $voip_udp $TCP_OPTIONS #SSH ------ BAILS OUT OF RULES pass in log-all quick inet proto tcp from any to $ext_if port 1978 keep state #ICMP Both ways pass in on $ext_ifs inet proto icmp all icmp-type 8 code 0 keep state pass in on $ext_ifs inet proto icmp all icmp-type 36 keep state pass out on $ext_ifs inet proto icmp all keep state pass out on $int_ifs inet proto icmp all keep state Frank