Date: Wed, 2 Jan 2008 08:46:43 -0800 (PST) From: Tommy Pham <tommyhp2@yahoo.com> To: freebsd-pf@freebsd.org Subject: RE: load-balancing, DNS Message-ID: <358998.94924.qm@web38208.mail.mud.yahoo.com> In-Reply-To: <BLU109-W6AA1E1FC7FA0C1D4F78F2B1520@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Michael,
Here is my ruleset:
NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}"
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 60000, frags 30000 }
#set loginterface re0
#set require-order yes
#set fingerprints "/etc/pf.os"
#set optimization aggressive
set optimization normal
set block-policy drop
set skip on lo
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub in
# Queueing
# nat/rdr
nat on $ext_if1 from $lan_net to any -> ($ext_if1) round-robin
nat on $ext_if2 from $lan_net to any -> ($ext_if2) round-robin
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \
port $www_ports -> $www_sys
rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \
port $www2_ports -> $www2_sys
# Rules
#block in log on $ext_if1 from $NoRouteIPs to any
#block out log on $ext_if1 from any to $NoRouteIPs
#block in log on $ext_if2 from $NoRouteIPs to any
#block out log on $ext_if2 from any to $NoRouteIPs
block in log
block out log
pass on $int_if
#anchor "ftp-proxy/*"
antispoof log quick for { lo $int_if }
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2)
} \
round-robin proto tcp from $lan_net to any \
flags S/SA modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2)
} \
round-robin proto { udp, icmp } from $lan_net to any keep state
pass in quick on $int_if route-to ($ext_if1 $ext_gw1) \
from any to { $ns1a, $ns1b } keep state
pass in quick on $int_if route-to ($ext_if2 $ext_gw2) \
from any to { $ns2a, $ns2b } keep state
# general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate
state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate
state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
# allowed services
pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www_sys
port $www_ports \
flags S/SA synproxy state
pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www2_sys
port $www2_ports \
flags S/SA synproxy state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
I still need to refine more on the rules to tighten security.
~Tommy
--- Michael Zimmer <drakyri@hotmail.com> wrote:
>
> Turns out that those actually completely (instead of the ~75% success
> rate before) disabled the DNS access of the client machines.
>
> I can't think why that wouldn't work, though - added these to the
> top, just below the SSH-allow entries:
>
> pass in quick on $int_if route-to ($ext_if1 $ext_gw1) from any to {
> $ns1a, $ns1b } keep statepass in quick on $int_if route-to ($ext_if2
> $ext_gw2) from any to { $ns2a, $ns2b } keep state
>
> ...with nsXY appropriately defined. Should these be reply-to also?
> ...I changed the main load-balancing rules as suggested:
>
> pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin \
> proto { tcp icmp udp } from 192.168.1.1/24 to any flags S/SA keep
> state
> pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin \
> sticky-address proto { tcp icmp udp } from any to any flags S/SA keep
> state
>
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to
> any
> pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to
> any
>
> ...I'd really appreciate any suggestions. : )
>
> thanks,
> mike
>
>
> > From: drakyri@hotmail.com> To: tommyhp2@yahoo.com;
> freebsd-pf@freebsd.org; mksmith@adhost.com> Date: Wed, 2 Jan 2008
> 09:45:38 +0000> CC: > Subject: RE: load-balancing, DNS> > > Thanks to
> both of you ... it looks okay remotely - I'll test it on-site
> tomorrow.> > -mike
> _________________________________________________________________
> Share life as it happens with the new Windows Live.
>
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?358998.94924.qm>