Date: Mon, 24 Mar 2008 17:03:52 -0700 From: Doug Sampson <dougs@dawnsign.com> To: 'Max Laier' <max@love2party.net>, freebsd-pf@freebsd.org Subject: RE: Bacula File/Storage Connection Woes using PF Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D028B@cetus.dawnsign.com>
next in thread | raw e-mail | index | archive | help
> On Friday 21 March 2008 21:59:46 Doug Sampson wrote: > > I want to back up a client running packet filter. I am > using Bacula to > > backup this client to a Bacula server in the internal network. The > > Bacula client has two interfaces- one external and one internal. The > > client's internal IF is 192.168.1.25. The Bacula server is at > > 192.168.1.17. > > > > When I attempt to contact the Bacula file daemon on the client, it > > responds by sending packets to the Bacula server daemon at > a different > > port. It should contact the storage daemon at port 9103 but > instead it > > attempts to contact the storage daemon at a port address that is not > > 9103. Thus the backup job fails. > > > > I've tried rdr to no avail. Here's my pf.conf: > > > > mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf > > use "pfctl -vvsr" instead of -nf to make sure you really get > the rules > that are loaded and not those that you wanted to load. > mailfilter-root@/usr/local/etc# pfctl -vvsr No ALTQ support in kernel ALTQ related functions disabled @0 scrub in all fragment reassemble [ Evaluations: 18953753 Packets: 9488185 Bytes: 0 States: 0 ] @0 block drop in log all [ Evaluations: 125309 Packets: 710 Bytes: 107361 States: 0 ] @1 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port = smtp flags S/SA synproxy state [ Evaluations: 61682 Packets: 333 Bytes: 141046 States: 0 ] @2 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port = smtp flags S/SA synproxy state [ Evaluations: 92705 Packets: 0 Bytes: 0 States: 0 ] @3 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state [ Evaluations: 78929 Packets: 0 Bytes: 0 States: 0 ] @4 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state [ Evaluations: 29478 Packets: 0 Bytes: 0 States: 0 ] @5 block drop in log quick on rl0 inet from 127.0.0.0/8 to any [ Evaluations: 75458 Packets: 0 Bytes: 0 States: 0 ] @6 block drop in log quick on rl0 inet from 192.168.0.0/16 to any [ Evaluations: 670 Packets: 0 Bytes: 0 States: 0 ] @7 block drop in log quick on rl0 inet from 172.16.0.0/12 to any [ Evaluations: 670 Packets: 0 Bytes: 0 States: 0 ] @8 block drop in log quick on rl0 inet from 10.0.0.0/8 to any [ Evaluations: 670 Packets: 0 Bytes: 0 States: 0 ] @9 block drop out log quick on rl0 inet from any to 127.0.0.0/8 [ Evaluations: 62532 Packets: 0 Bytes: 0 States: 0 ] @10 block drop out log quick on rl0 inet from any to 192.168.0.0/16 [ Evaluations: 12557 Packets: 0 Bytes: 0 States: 0 ] @11 block drop out log quick on rl0 inet from any to 172.16.0.0/12 [ Evaluations: 12557 Packets: 0 Bytes: 0 States: 0 ] @12 block drop out log quick on rl0 inet from any to 10.0.0.0/8 [ Evaluations: 12557 Packets: 0 Bytes: 0 States: 0 ] @13 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any [ Evaluations: 125309 Packets: 0 Bytes: 0 States: 0 ] @14 block drop in log quick inet from 192.168.1.25 to any [ Evaluations: 112752 Packets: 0 Bytes: 0 States: 0 ] @15 pass in on xl0 inet from 192.168.1.0/24 to any [ Evaluations: 61682 Packets: 60947 Bytes: 17390149 States: 0 ] @16 pass out log on xl0 inet from any to 192.168.1.0/24 [ Evaluations: 124639 Packets: 51070 Bytes: 43963111 States: 0 ] @17 pass out log quick on xl0 inet from any to 10.8.0.0/24 [ Evaluations: 51070 Packets: 0 Bytes: 0 States: 0 ] @18 pass out on rl0 proto tcp all flags S/SA modulate state [ Evaluations: 64297 Packets: 53895 Bytes: 42581384 States: 4 ] @19 pass out on rl0 proto udp all keep state [ Evaluations: 12557 Packets: 23586 Bytes: 1793665 States: 0 ] @20 pass out on rl0 proto icmp all keep state [ Evaluations: 12557 Packets: 0 Bytes: 0 States: 0 ] @21 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state [ Evaluations: 74239 Packets: 0 Bytes: 0 States: 0 ] @22 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state [ Evaluations: 112420 Packets: 0 Bytes: 0 States: 0 ] mailfilter-root@/usr/local/etc# According to the output of "pfctl -vvsr", the packets are being allowed back into the internal network which is what I want (according to rule #16). However, I don't quite understand why the Bacula client is asking for a higher port number other than 9103. I am not seeing this behavior on any of my other Bacula clients. Is there another way of writing rules that will enable the Bacula client to pass packets to the correct port number? > > From the rules you quote above, I don't see why pf should interfere with > ports towards your internal net, but then again you might be having other > rules loaded than you think you are - the pflog is a strong indication. True. ~Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9DE6EC5B5CF8C84281AE3D7454376A0D6D028B>