From owner-freebsd-pf@FreeBSD.ORG Sat Nov 5 14:13:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEA3F16A41F for ; Sat, 5 Nov 2005 14:13:05 +0000 (GMT) (envelope-from bacardicoke+sender+38c70d@gmail.com) Received: from ssdd.xs4all.nl (ssdd.xs4all.nl [195.64.89.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D96843D48 for ; Sat, 5 Nov 2005 14:13:02 +0000 (GMT) (envelope-from bacardicoke+sender+38c70d@gmail.com) Received: from localhost (localhost [127.0.0.1]) by imhotep.yuckfou.org (Postfix) with ESMTP id 10C77A06 for ; Sat, 5 Nov 2005 15:13:18 +0100 (CET) Received: from ssdd.xs4all.nl ([127.0.0.1]) by localhost (imhotep.yuckfou.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79082-08 for ; Sat, 5 Nov 2005 15:12:59 +0100 (CET) Received: by imhotep.yuckfou.org (Postfix, from userid 1000) id C50CDA03; Sat, 5 Nov 2005 15:12:58 +0100 (CET) Received: from [192.168.2.239] (turbata-xp.gondel.local [192.168.2.239]) by localhost.yuckfou.org (tmda-ofmipd) with ESMTP; Sat, 05 Nov 2005 15:12:49 +0100 (CET) Message-ID: <436CBDCA.4050309@gmail.com> Date: Sat, 05 Nov 2005 15:12:26 +0100 User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit From: Nils Vogels X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) X-TMDA-Fingerprint: b+l3vwM0JGetZq96gRSq3QdOjiU X-Virus-Scanned: amavisd-new at yuckfou.org X-Spam-Status: No, score=-4.399 tagged_above=-999 required=6.31 tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599] X-Spam-Score: -4.399 X-Spam-Level: Subject: PF, reply-to and synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nils Vogels List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Nov 2005 14:13:06 -0000 Hi there, I currently have the situation where I use the pf route-to and reply-to statements, to direct traffic the right way in my network. My firewall has two ISP's connected to it, the default route is set to ISP1. Their interfaces are called if_isp1 and if_isp2. I want to have a webserver (server1) that is behind my firewall to be reachable using both ISPs. What I have seen, is that when I take the following ruleset: rdr on $if_isp1 proto tcp from any to $ipv4_isp1 port $http -> $ipv4_imhotep port $http rdr on $if_isp2 proto tcp from any to $ipv4_isp2 port $http -> $ipv4_imhotep port $http pass in quick on $if_isp1 proto tcp from any port > 1023 to $ipv4_server1 port \ $http flags S/SA synproxy state queue (q_def_1, q_pri_1) pass in quick on $if_isp2 reply-to ($if_isp2 $ipv4_gw_isp2 ) proto tcp from any port > 1023 to $ipv4_server1 port \ $http flags S/SA synproxy state queue (q_def_2, q_pri_2) Traffic from $if_isp2 to my webserver seems to drop in my FreeBSD 5.3-RELEASE-p2 firewall, traffic from $if_isp1 works fine, whereas when I use rdr on $if_isp1 proto tcp from any to $ipv4_isp1 port $http -> $ipv4_imhotep port $http rdr on $if_isp2 proto tcp from any to $ipv4_isp2 port $http -> $ipv4_imhotep port $http pass in quick on $if_isp1 proto tcp from any port > 1023 to $ipv4_server1 port \ $http flags S/SA synproxy state queue (q_def_1, q_pri_1) pass in quick on $if_isp2 reply-to ($if_isp2 $ipv4_gw_isp2 ) proto tcp from any port > 1023 to $ipv4_server1 port \ $http flags S/SA keep state queue (q_def_2, q_pri_2) Both ISP interfaces can access my webserver. I've tried altering everything else, but for some reason, only disabling synproxy and going back to keep state gives me the result I want. Did I in some way run into a bug, or is this documented somewhere ? (I couldn't find it) Thanks, Nils -- Those who desire to give up freedom in order to gain security, will not have, nor do they deserve, either one. ~Benjamin Franklin (American Statesman, Scientist, Philosopher, Printer, Writer and Inventor. 1706-1790)