Date: Wed, 10 Mar 2021 19:15:23 +0100 From: Ludovit Koren <ludovit.koren@gmail.com> To: Ultima <ultima1252@gmail.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: PF - reply-to Message-ID: <867dmeub7o.fsf@gmail.com> In-Reply-To: <CANJ8om5_2_2oGZ4_zj4y_Xg04V5MXzy99_YV-Z4pwQic=GRdEw@mail.gmail.com> (Ultima's message of "Tue, 9 Mar 2021 21:01:09 -0800") References: <8635x6vli2.fsf@gmail.com> <CANJ8om5RJBD=EmzRPpD_%2BavrRgpWBNGj9NbXfyUdOKcaL00vgA@mail.gmail.com> <86y2exubbq.fsf@gmail.com> <CANJ8om5_2_2oGZ4_zj4y_Xg04V5MXzy99_YV-Z4pwQic=GRdEw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
>>>>> Ultima <ultima1252@gmail.com> writes:
> Hello Ludovit,
> I'm going to need to see pf.conf and routing table to help further.
> Feel free to obfuscate if required. It may also help if you ask the
> freebsd-net and freebsd-pf mailing list as well.
> Best regards,
> Richard Gallamore
Hi,
please, see the attached file
Regards,
lk
> On Mon, Mar 8, 2021 at 3:36 AM Ludovit Koren <ludovit.koren@gmail.com> wrote:
>>>>>> Ultima <ultima1252@gmail.com> writes:
>> Hey Ludovit,
>> More details would be helpful. There can be a few reasons why it is not working that I can see.
>> 1. Do you have an rdr rule to redirect to $web_addr for the pass rule?
> yes, I have a rdr rule. but there are rules without rdr and it seems
> they are not working either.
>> 2. Rules out of order
> I do not understand. I have definitions, nat, rdr, and rules.
>> 3. Conflicting rules.
> I did not find any.
>> The best way to debug this would be logging the rules and watching where the traffic is going via tcpdump.
> I did exactly what you suggest. The block rule logged reset packet from
> the source of the web traffic. As soon as I changed the default router,
> everything have started to work with the same unchanged pf.conf.
> Regards,
> lk
>> Best regards,
>> Richard Gallamore
>> On Sun, Mar 7, 2021 at 10:58 AM Ludovit Koren <ludovit.koren@gmail.com> wrote:
>> Hi all,
>> we have 2 Internet connections coming on the same interface. One is
>> primarily used for incoming connections and services that we provide to
>> Internet (web, mail). The other connection is primarily used for
>> browsing (cache/proxy) and DNS. There are 2 different routers.
>> I am using FreeBSD 12.2-STABLE r369178 and PF. The question is which
>> router should I set as default router. I suppose, I can use reply-to
>> and/or route-to, respectively. If I use (default router $router2):
>> pass in on $ext_if reply-to (bge0 $router1) inet proto tcp from any to $web_addr port 443 keep state
>> it is not working. The following setup is working (default router $router1):
>> pass out on $ext_if route-to (bge0 $router2) inet proto tcp from any to any keep state
>> Is it bug or I do not understand the manual page correctly?
>> Thank you very much.
>> Regards,
>> lk
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
[-- Attachment #2 --]
ext_if="bce0"
external_addr="192.168.11.18"
int_net="192.168.11.0/24"
squid="192.168.11.205"
extern_net="10.1.31.0/24"
ter_net="10.1.64.0/24"
table <tacho> { 62.62.67.20, 62.62.70.51, 62.62.70.58, 62.62.70.59, 62.62.74.223, 62.62.74.224, 62.62.74.243, 62.62.74.244/31, 192.168.11.203 }
table <intra-net> { 172.16.0.0/16, 62.62.0.0/16, 100.64.0.0/10, 192.168.96.103, 192.168.96.106, 192.168.96.126, 192.168.96.159, 192.168.96.160 }
table <tacho-test> { 192.168.96.106, 192.168.96.160 }
table <bad_hosts> { 69.164.196.21, 107.150.40.234, 162.211.64.20, 217.12.210.54, 89.18.27.34, 193.183.98.154, 51.255.167.0, 91.121.155.13, 87.98.175.85, 185.97.7.7 }
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 64000, frags 16000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
set skip on bce1
scrub in all
altq on $ext_if bandwidth 1000Mb hfsc queue { dflt, qbanista, qinet, tacho }
queue dflt bandwidth 30% hfsc(default) priority 7 qlimit 512
queue qbanista bandwidth 30% priority 7 hfsc( realtime 35% ) qlimit 512
queue qinet bandwidth 30% priority 7 hfsc( realtime 35% ) qlimit 512
queue tacho bandwidth 10% priority 0 hfsc( realtime ( 0% 100 10% )) qlimit 512
nat on $ext_if inet proto tcp from any to 192.168.96.103 port 443 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.103 port 58080 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.106 port 80 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.106 port 443 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.126 port 80 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.126 port 443 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.126 port 1443 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.126 port 8080 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.126 port 8443 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.159 port 443 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.160 port 80 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.160 port 443 -> $squid
nat on $ext_if inet proto tcp from any to 192.168.96.160 port 48080 -> $squid
nat on $ext_if inet proto tcp from any to any port 22 -> $squid
nat on $ext_if inet proto tcp from any to 198.104.203.218 port 5999 -> 192.168.11.22
nat on $ext_if inet proto tcp from any to any port 443 -> 192.168.11.22
nat on $ext_if inet proto tcp from any to any port 10000 -> $squid
nat on $ext_if inet proto tcp from any to ! 192.168.11.13 port 80 -> 192.168.11.22
nat on $ext_if inet proto tcp from any to ! 192.168.11.13 port 21 -> 192.168.11.22
nat on $ext_if inet proto tcp from any to ! 192.168.11.13 port > 1023 -> 192.168.11.22
nat on $ext_if inet proto tcp from any to squid.gov.sk -> 192.168.11.22
nat on $ext_if inet proto tcp from 192.168.11.0/24 to 192.168.11.254 port 80 -> 192.168.11.9
rdr on $ext_if proto tcp from any to 192.168.11.254/32 port 6262 -> 127.0.0.1 port 6262
rdr on $ext_if proto tcp from any to 192.168.11.251/32 port 6262 -> 127.0.0.1 port 6263
rdr on bce0 proto tcp from any to 192.168.11.225/32 port 443 -> 127.0.0.1 port 1443
pass out all queue dflt keep state
pass out on $ext_if route-to (bce0 192.168.11.1) proto tcp from 192.168.11.205 to 192.168.96.103 port 443 keep state queue tacho
pass out on $ext_if route-to (bce0 192.168.11.1) proto tcp from 192.168.11.203 port 443 to <tacho> keep state queue tacho
pass out on $ext_if proto { tcp, udp } from carp0 to $int_net keep state
pass out on $ext_if proto { tcp, udp } from $external_addr to $int_net keep state
pass out on $ext_if route-to (bce0 192.168.11.128) proto tcp from any to !<intra-net> keep state queue qbanista
pass out on $ext_if route-to (bce0 192.168.11.128) proto tcp from 192.168.11.246 to !<intra-net> keep state queue qbanista
pass out on $ext_if route-to (bce0 192.168.11.128) proto tcp from 192.168.11.246 to any keep state queue qbanista
pass out on $ext_if route-to (bce0 192.168.11.128) proto udp from any to !<intra-net> port 53 keep state queue qbanista
pass out on $ext_if route-to (bce0 192.168.11.1) proto tcp from any to 100.64.16.190 keep state queue qinet
block in log all
block quick from <bad_hosts>
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass in on $ext_if proto tcp from $int_net to $ext_if port 22 keep state
pass in on $ext_if proto tcp from 192.168.11.0/24 to $ext_if port 22 keep state
pass in on $ext_if proto tcp from $int_net to carp0 port 22 keep state
pass in on $ext_if proto tcp from 192.168.11.0/24 to carp0 port 22 keep state
pass in quick on $ext_if proto tcp from 192.168.11.13 to any port 80
pass in quick on $ext_if proto tcp from 192.168.11.13 to any port 443
pass in quick on $ext_if proto tcp from 212.197.7.30 to any port 443
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.203 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.204 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.205 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.217 port 443 keep state (max-src-conn-rate 10240/60, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.247 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.225 port 443 keep state (max-src-conn-rate 10240/60, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.227 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if proto tcp from 195.146.149.232 to 192.168.11.91 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.251 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.252 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.253 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 195.146.149.232 to 192.168.11.254 port 443 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.200 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.201 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.202 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.203 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.204 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.205 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.217 port 443 keep state (max-src-conn-rate 600/60, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.247 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.225 port 443 keep state (max-src-conn-rate 600/60, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.227 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if proto tcp from <tacho-test> to 192.168.11.91 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.250 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.251 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.252 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.253 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.254 port 443 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from any to 192.168.11.205 port 8280 keep state (max-src-conn-rate 1024/10, overload <bad_hosts> flush global)
pass in on bce0 proto tcp from any to 127.0.0.1 port 1443 keep state
pass in on bce0 proto tcp from any to 127.0.0.1 port 6262 keep state
pass in on bce0 proto tcp from any to 127.0.0.1 port 6263 keep state
pass in on $ext_if proto tcp from 172.16.0.50 port 3128 to $external_addr keep state
pass in on $ext_if reply-to (bce0 192.168.11.1) proto tcp from 192.168.96.103 port 443 to 192.168.11.205 keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
pass in on $ext_if proto tcp from any port 80 to $external_addr keep state
pass in on $ext_if inet proto tcp from any to $external_addr port 25 keep state
pass out on $ext_if inet proto tcp from $external_addr to $int_net port 25 keep state
pass in on $ext_if inet proto { tcp , udp } from any to $external_addr port 53 keep state
pass in on $ext_if reply-to (bce0 192.168.11.1) inet proto { tcp , udp } from any to 192.168.11.9 port 53 keep state
pass in on $ext_if inet proto udp from any port 53 to $external_addr keep state
pass in on $ext_if reply-to (bce0 192.168.11.1) inet proto udp from any port 53 to 192.168.11.9 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 309 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 389 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 709 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 710 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 829 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 873 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 1352 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 2121 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 4667 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 10000 keep state
pass in on $ext_if inet proto tcp from $int_net to 192.168.11.9 port 10050 keep state
pass in on $ext_if inet proto tcp from $int_net to $external_addr port 3306 keep state
pass in on $ext_if inet proto tcp from $int_net to $squid port 8080 keep state
pass in on $ext_if inet proto tcp from $int_net to $external_addr port 8080 keep state
pass in on $ext_if inet proto tcp from $int_net to 192.168.11.217 port 8080 keep state
pass in on $ext_if inet proto tcp from $extern_net to $external_addr port 8080 keep state
pass in on $ext_if inet proto tcp from $ter_net to $external_addr port 8080 keep state
pass out on $ext_if inet proto tcp from $squid port 8080 to $int_net keep state
pass out on $ext_if inet proto tcp from $external_addr port 8080 to $int_net keep state
pass out on $ext_if inet proto tcp from 192.168.11.217 port 8080 to $int_net keep state
pass in on $ext_if inet proto udp from $int_net to $squid port 3130 keep state
pass in on $ext_if inet proto udp from $int_net to $external_addr port 3130 keep state
pass in on $ext_if inet proto udp from $int_net to 192.168.11.217 port 3130 keep state
pass in on $ext_if inet proto udp from $extern_net to $external_addr port 3130 keep state
pass in on $ext_if inet proto udp from $ter_net to $external_addr port 3130 keep state
pass out on $ext_if inet proto udp from $squid port 3130 to $int_net keep state
pass out on $ext_if inet proto udp from $external_addr port 3130 to $int_net keep state
pass out on $ext_if inet proto udp from 192.168.11.217 port 3130 to $int_net keep state
pass out on $ext_if inet proto udp from $external_addr port 3130 to $extern_net keep state
pass out on $ext_if inet proto udp from $external_addr port 3130 to $ter_net keep state
pass in on $ext_if inet proto udp from $int_net to $external_addr port 123 keep state
pass in on $ext_if inet proto udp from $extern_net to $external_addr port 123 keep state
pass in on $ext_if inet proto udp from $ter_net to $external_addr port 123 keep state
pass in on $ext_if inet proto tcp from $int_net to $external_addr port 5999 keep state
pass out on $ext_if inet proto tcp from $external_addr port 5999 to $int_net keep state
pass out on $ext_if inet proto icmp all icmp-type echoreq keep state
pass in on $ext_if inet proto icmp all icmp-type echoreq keep state
pass in on $ext_if reply-to (bce0 192.168.11.1) inet proto tcp from any to 192.168.11.254 port 1000 keep state
pass in on $ext_if reply-to (bce0 192.168.11.1) inet proto tcp from any to 192.168.11.254 port 1194 keep state
pass in on $ext_if reply-to (bce0 192.168.11.1) inet proto tcp from any to 192.168.11.254 port 6262 keep state
pass in on $ext_if reply-to (bce0 192.168.11.1) inet proto tcp from any to 192.168.11.251 port 6262 keep state
block in on $ext_if inet proto tcp from <bad_hosts> to any
block in on $ext_if inet proto udp from <bad_hosts> to any
block out on bce0 inet proto tcp from any to <bad_hosts>
block out on bce0 inet proto udp from any to <bad_hosts>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?867dmeub7o.fsf>