From owner-freebsd-questions@FreeBSD.ORG Wed Jul 13 22:49:44 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2E2B106566C; Wed, 13 Jul 2011 22:49:44 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 640128FC15; Wed, 13 Jul 2011 22:49:44 +0000 (UTC) Received: by gxk28 with SMTP id 28so3263013gxk.13 for ; Wed, 13 Jul 2011 15:49:43 -0700 (PDT) Received: by 10.236.195.38 with SMTP id o26mr2384130yhn.505.1310597382700; Wed, 13 Jul 2011 15:49:42 -0700 (PDT) Received: from papi.localnet ([186.212.247.179]) by mx.google.com with ESMTPS id a47sm2135465yhj.52.2011.07.13.15.49.39 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 13 Jul 2011 15:49:42 -0700 (PDT) From: Mario Lobo To: "freebsd-pf@FreeBSD.org" Date: Wed, 13 Jul 2011 19:48:33 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <201107131026.59401.lobo@bsd.com.br> In-Reply-To: <201107131026.59401.lobo@bsd.com.br> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201107131948.34051.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Problem with PF reply-to [SOLVED] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 22:49:44 -0000 On Wednesday 13 July 2011 10:26:59 Mario Lobo wrote: > Hi; > > I have the following scenario. > > FreeBSD 8.2-STABLE FreeBSD 8.2-STABLE #0: Thu May 19 19:53:59 BRT 2011 > i386 > > I want to be able to connect to any of the 2 external IPs this machine has. > > ### pf.conf excerpt > > ext_if1 = sis0 (1M link. default gateway) > ext_if2 = rl0 (2M link) > aln_if = dc0 (Internal LAN) > > ext_gw1 = A.A.A.A > ext_gw2 = B.B.B.B > > my_ext_ip1 = a.a.a.a > my_ext_ip2 = b.b.b.b > > > nat on $ext_if1 from any to any -> $my_ext_ip1 port 1024:65535 > nat on $ext_if2 from any to any -> $my_ext_ip2 port 1024:65535 > > 1) ----------------------------------------- # balance the load > > pass in log quick on $aln_if route-to ($ext_if2 $ext_gw2) from \ > $aln_if:network to any flags S/SA keep state tag to_out probability 70% > > pass in log quick on $aln_if route-to ($ext_if1 $ext_gw1) from \ > $aln_if:network to any flags S/SA keep state tag to_out > > 2) ----------------------------------------- # allow ssh on ext_ifs > > a)pass in log quick on $ext_if1 inet proto tcp from any to any port > $SshPort \ flags S/SA modulate state (max 30, source-track rule, > max-src-nodes 10,\ max-src-states 2, max-src-conn 2, max-src-conn-rate > 2/60, overload ) > > b)pass in log quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp > \ from any to any port $SshPort flags S/SA keep state (max 30, > source-track \ rule, max-src-nodes 10, max-src-states 2, max-src-conn 2, > max-src-conn-rate\ 2/60, overload ) ( RULE 8 ) > > > [snip][snip]...... > > > 3) ----------------------------------------- > > pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to > any pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 > to any > > Also tried: > > pass out quick on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to > any pass out quick on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 > to any > > block log all ( RULE 163 ) > > > ### end of pf.conf excerpt > > > Everything under 1) works fine. > > Under 2), a) works, b) not working. > > When I try to connect to $SshPort through the 2M link (b.b.b.b). I connect > to the server, but the return packet neither obeys the reply-to on rule > b), nor matches any of the pass outs under 3), and goes straight to the > block rule. as you can see bellow. > > > [$]> tcpdump -n -e -ttt -i pflog0 host 187.113.99.63 (my home IP) > > > Packet arrives and matches rule b)/8 and should create a state; > > 00:00:00.000000 rule 8/0(match): pass in on rl0: 187.113.99.63.25806 > > b.b.b.b.22: [|tcp] > > but... > > 00:00:00.000108 rule 163/0(match): block out on sis0: a.a.a.a.8947 > > 187.113.99.63.25806: [|tcp] > 00:00:03.000057 rule 163/0(match): block out on sis0: a.a.a.a.65060 > > 187.113.99.63.25806: [|tcp] > 00:00:03.199931 rule 163/0(match): block out on sis0: a.a.a.a..20213 > > 187.113.99.63.25806: [|tcp] > 00:00:03.199618 rule 163/0(match): block out on sis0: a.a.a.a..19748 > > 187.113.99.63.25806: [|tcp] > 00:00:03.200044 rule 163/0(match): block out on sis0: a.a.a.a..1600 > > 187.113.99.63.25806: [|tcp] > 00:00:03.199767 rule 163/0(match): block out on sis0: a.a.a.a..45513 > > 187.113.99.63.25806: [|tcp] > 00:00:06.205048 rule 163/0(match): block out on sis0: a.a.a.a..17925 > > 187.113.99.63.25806: [|tcp] > > it tries to go back to me on the wrong interface (sis0 and NOT rl0), > wrong ip (a.a.a.a and NOT b.b.b.b), and from several wrong port numbers, > not port 22. > > Questions: > > 1) sshd is listening on *.22. I know that the default gateway is not on rl0 > but isn't that what reply-to is supposed to beat? If I understood > correctly, wasn't the reply-to supposed to make the packet go back > throught the specified ($ext_if2 $ext_gw2)? > > 2) Wasn't a state created when the pass rule b)/8 matched? if so, where is > it? > > Where am I doing wrong here? > > Thanks for any hints. Never mind ! I solved the problem after finding this very enlightening document: http://www.mmacleod.ca/blog/2011/06/source-based-routing-with-freebsd-using- multiple-routing-table/ I followed it and it all works beautifully now. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)