Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 05 Nov 2005 15:12:26 +0100
From:      Nils Vogels <bacardicoke+sender+38c70d@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   PF, reply-to and synproxy
Message-ID:  <436CBDCA.4050309@gmail.com>
next in thread | raw e-mail | index | archive | help 
Hi there,

I currently have the situation where I use the pf route-to and reply-to
statements, to direct traffic the right way in my network.
My firewall has two ISP's connected to it, the default route is set to
ISP1. Their interfaces are called if_isp1 and if_isp2. I want to have a
webserver (server1) that is behind my firewall to be reachable using
both ISPs.

What I have seen, is that when I take the following ruleset:

rdr on $if_isp1 proto tcp from any to $ipv4_isp1 port $http  ->
$ipv4_imhotep port $http
rdr on $if_isp2 proto tcp from any to $ipv4_isp2 port $http  ->
$ipv4_imhotep port $http
pass in quick on $if_isp1 proto tcp from any port > 1023 to
$ipv4_server1 port \
    $http flags S/SA synproxy state queue (q_def_1, q_pri_1)
pass in quick on $if_isp2 reply-to ($if_isp2 $ipv4_gw_isp2 ) proto tcp
from any port > 1023 to $ipv4_server1 port \
    $http flags S/SA synproxy state queue (q_def_2, q_pri_2)

Traffic from $if_isp2 to my webserver seems to drop in my FreeBSD
5.3-RELEASE-p2 firewall, traffic from $if_isp1 works fine, whereas when
I use

rdr on $if_isp1 proto tcp from any to $ipv4_isp1 port $http  ->
$ipv4_imhotep port $http
rdr on $if_isp2 proto tcp from any to $ipv4_isp2 port $http  ->
$ipv4_imhotep port $http
pass in quick on $if_isp1 proto tcp from any port > 1023 to
$ipv4_server1 port \
    $http flags S/SA synproxy state queue (q_def_1, q_pri_1)
pass in quick on $if_isp2 reply-to ($if_isp2 $ipv4_gw_isp2 ) proto tcp
from any port > 1023 to $ipv4_server1 port \
    $http flags S/SA keep state queue (q_def_2, q_pri_2)

Both ISP interfaces can access my webserver. I've tried altering
everything else, but for some reason, only disabling synproxy and going
back to keep state gives me the result I want. Did I in some way run
into a bug, or is this documented somewhere ? (I couldn't find it)

Thanks,

Nils

-- 
Those who desire to give up freedom in order to gain security, will not have, nor do they deserve, either one.

~Benjamin Franklin (American Statesman, Scientist, Philosopher, Printer, Writer and Inventor. 1706-1790)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?436CBDCA.4050309>