Date: Tue, 25 Mar 2008 15:53:15 -0700 From: Doug Sampson <dougs@dawnsign.com> To: 'Greg Hennessy' <Greg.Hennessy@nviz.net> Cc: freebsd-pf@freebsd.org Subject: RE: Bacula File/Storage Connection Woes using PF Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0290@cetus.dawnsign.com>
next in thread | raw e-mail | index | archive | help
> > Is there another way of writing rules that will enable the
> Bacula client to
> > pass packets to the correct port number?
> >
> Yes, make the 1st rule
>
> block log all
>
> to drop both ingress and egress traffic by default.
>
> Secondly get rid of the stateless rules. Use keep state
> everywhere, with
> flags S/SA if matching tcp traffic.
>
>
I hate to bug you guys but I ain't a pf guru like you guys. I am not
understanding the significance of the "keep state" and the "flags S/SA
synproxy state" qualifiers. I have been copying some rules from articles
here and there. Thus these rules are not unified in the sense that these are
designed from the beginning to work harmoniously.
Would it be helpful if I supplied the actual pf.conf below and let you have
at it? See the new addition I added today below in which I added "keep
state" at the end of the rule. Would this enable the Bacula client to accept
packets from the Bacula server and send packets out to port 9103 on the
Bacula server?
Here's my pf.conf:
# $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp $
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.
# Macros: define common values, so they can be referenced and changed
easily.
ext_if="rl0" # replace with actual external interface name i.e., dc0
int_if="xl0" # replace with actual internal interface name i.e., dc1
internal_net="192.168.1.1/24"
external_addr="xxx.xxx.xxx.xxx"
vpn_net="xxx.xxx.xxx.xxx/24"
# Added by DSS - 2/28/07
NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
# machines inside
webserver ="192.168.1.4"
set skip on lo0
set skip on gif0
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub in all
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net
will
# get translated as coming from the address of $ext_if, a state is created
for
# such packets, and incoming packets will be redirected to the internal
address.
nat on $ext_if from $internal_net to any -> ($ext_if)
nat on $ext_if from $vpn_net to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination $external_addr:1234
will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->
10.1.1.1 port 5678
rdr on $ext_if proto tcp from any to $external_addr/32 port 80 -> $webserver
port 80
# spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
# redirect to spamd
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
rdr pass inet proto tcp from <spamd-white> to $external_addr port smtp ->
127.0.0.1 port smtp
rdr pass inet proto tcp from <spamd> to $external_addr port smtp ->
127.0.0.1 port spamd
rdr pass inet proto tcp from !<spamd-mywhite> to $external_addr port smtp ->
127.0.0.1 port spamd
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log all
# allow inbound/outbound mail!
pass in log inet proto tcp from any to $external_addr port smtp flags S/SA
synproxy state
pass out log inet proto tcp from $external_addr to any port smtp flags S/SA
synproxy state
pass in log inet proto tcp from $internal_net to $int_if port smtp flags
S/SA synproxy state
# added by DSS - 2/28/07
pass in quick log on $int_if proto tcp from any to $int_if port 22 flags
S/SA synproxy state
block in quick log on $ext_if from $NoRouteIPs to any
block out quick log on $ext_if from any to $NoRouteIPs
antispoof log quick for $int_if inet
# pass all traffic to and from the local network
pass in on $int_if from $internal_net to any
pass out log on $int_if from any to $internal_net
pass out quick log on $int_if from any to $vpn_net
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in on $ext_if inet proto tcp from any to $webserver port 80 flags S/SA
synproxy state
pass in on $int_if proto tcp from any to $int_if port 22 keep state
# added by DSS - 3/25/08
pass in on $int_if proto tcp from any to $int_if port 9102 keep state
# end of DSS's additions
Thank you!
~Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9DE6EC5B5CF8C84281AE3D7454376A0D6D0290>