Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Nov 2015 16:34:31 +0100
From:      Daniel Bilik <ddb@neosystem.org>
To:        Kristof Provost <kp@FreeBSD.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Outgoing packets being sent via wrong interface
Message-ID:  <20151120163431.3449a473db9de23576d3a4b4@neosystem.org>
In-Reply-To: <C1D7F956-81C9-4ED4-99B8-E0C73A3ECB37@FreeBSD.org>
References:  <20151120155511.5fb0f3b07228a0c829fa223f@neosystem.org> <C1D7F956-81C9-4ED4-99B8-E0C73A3ECB37@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Fri, 20 Nov 2015 16:18:10 +0100
Kristof Provost <kp@FreeBSD.org> wrote:

> Can you post your pf rules too?

Sure, pf.conf attached.

--
						Dan

[-- Attachment #2 --]
int_if="re1"
ext_if="re0"
vpn_if="tap0"
ext_addr="82.x.y.50"
int_net="192.168.2.0/24"
vpn_net="{ 192.168.1.0/24, 192.168.4.0/24, 192.168.123.0/24 }"
priv_net="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.1, 224.0.0.2, 224.0.0.4, 224.0.0.5, 224.0.0.6, 224.0.0.9, 224.0.0.13, 224.0.0.15 }"
webmail="192.168.2.5"
mailserver="192.168.2.15"
dnsserver="{ 192.168.2.0/28, 192.168.1.0/28 }"
switchboard="192.168.2.16"
camera="192.168.2.221"

set skip on { lo0, $vpn_if }

scrub in on $ext_if all fragment reassemble
scrub out on $ext_if random-id

# traffic control

altq on $ext_if bandwidth 8Mb cbq queue { ssh, vpn, mail, web, default }

queue vpn bandwidth 2Mb priority 5 cbq(borrow)
queue ssh bandwidth 1Mb priority 4 cbq(borrow)
queue web bandwidth 1Mb priority 3 cbq(borrow)
queue mail bandwidth 1Mb priority 2 cbq(borrow)
queue default bandwidth 2Mb priority 1 cbq(default, borrow)

# nat

# note: do not change source port for this specific sip communication
nat on $ext_if proto udp from $switchboard to 188.x.y.0/24 -> $ext_addr static-port

nat on $ext_if from $int_net to any -> $ext_addr

rdr on $ext_if proto tcp from any to $ext_addr port { 25, 465, 587, 995 } -> $mailserver
rdr on $ext_if proto tcp from any to $ext_addr port { 443, 777, 5145 } -> $webmail
rdr on $ext_if proto tcp from any to $ext_addr port { 554, 6036 } -> $camera
rdr on $ext_if proto tcp from any to $ext_addr port 6543 -> $switchboard
rdr on $ext_if proto tcp from any to $ext_addr port 6992 -> $switchboard

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_net to any port 21 -> 127.0.0.1 port 8021

# firewall

block in log all

pass in quick on $int_if inet proto carp

pass in quick on $int_if inet proto tcp from any to $mailserver port { 25, 465, 587, 10024 } keep state
block in log quick on $int_if inet proto tcp from any to any port { 25, 465, 587 }

pass in quick on $int_if inet proto { tcp, udp } from any to $dnsserver port 53 keep state
pass in quick on $int_if inet proto { tcp, udp } from $dnsserver to any port 53 keep state
block in log quick on $int_if inet proto { tcp, udp } from any to any port 53

pass in quick on $int_if inet from $int_net to any keep state
pass in quick on $int_if inet from $vpn_net to $int_net keep state

pass in quick on $int_if proto gre from $int_net to 82.x.y.22 keep state

block in log quick on $ext_if from $priv_net to any

pass in quick on $ext_if inet proto icmp from any to $ext_addr
pass in quick on $ext_if inet proto udp from 82.x.y.62 to $ext_addr port 1194 keep state queue vpn
pass in quick on $ext_if inet proto tcp from any to $ext_addr port 22 keep state queue ssh
pass in quick on $ext_if inet proto tcp from any to $mailserver port { 25, 465, 587, 995 } keep state (source-track rule, max-src-conn 50) queue mail
pass in quick on $ext_if inet proto tcp from any to $webmail port { 443, 777, 5145 } keep state (source-track rule, max-src-conn 50) queue web
pass in quick on $ext_if inet proto tcp from any to $camera port { 554, 6036 } keep state
pass in quick on $ext_if inet proto tcp from any to $switchboard port { 6543, 6992 } keep state

block out log all

block out log quick on $ext_if from any to $priv_net
block out log quick on $ext_if inet proto { tcp, udp } from any to any port 137:139

anchor "ftp-proxy/*"

pass out quick on $ext_if inet proto tcp from $mailserver to any keep state queue mail
pass out quick on $ext_if inet proto udp from $ext_addr to 82.x.y.62 port 1194 keep state queue vpn
pass out quick on { $ext_if, $int_if } inet from any to any keep state

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151120163431.3449a473db9de23576d3a4b4>