Date: Tue, 10 Aug 2004 19:44:32 +0700 From: Muhammad Reza <reza@mra.co.id> To: Max Laier <max@love2party.net> Cc: pf4freebsd@freelists.org Subject: Re: pf and ipfw Message-ID: <4118C330.8090609@mra.co.id> In-Reply-To: <200408091840.53308.max@love2party.net> References: <411722A1.1020108@mra.co.id> <200408091840.53308.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote: >On Monday 09 August 2004 09:07, Muhammad Reza wrote: > > >>Dear Lists, >> >>can pf rule work together with ipfw rules ? >>i need pf rule to do some outgoing load balance, but still need ipfw to >>do some basic packet filtering, cause i have difficulty to set pf rules >>default to block if it's apply with load balancing rules. >>please enlight me.. >> >> > >While it is possible to use pf and ipfw in conjunction, it is certainly >preferable to settle for either one on its own. It should not be too much of >a problem to get pf to do what you want/need. If you have more specific >questions you can post to pf4freebsd@freelists.org > > > dear lists thank for the great repsonse, i'm new with pf , I have problem make pf redirect rule forwarding from net to my dmz internal server, Maybe the problem is, because i have load balancing outgoing connection rule, that must have no default gateway. If I apply default gateway, redirect rule work good, but no load balancing at all. this is my rules; #macros lan_net = "172.16.0.0/16" dmz_net = "10.10.10.0/24" int_if = "xl0" dmz_if = "rl3" ext_if1 = "rl0" ext_if2 = "rl1" ext_if = "{" $ext_if1 $ext_if2 "}" gw1 = "202.xxx.254.3" gw2 = "202.xxx.255.170" ext_gw1 = "202.xxx.254.1" ext_gw2 = "202.xxx.255.169" server_dmz = "10.10.10.2/32" server_ext = "202.xxx.254.4/32" priv_nets = "{127.0.0.1/8 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12}" # scrub incoming packets scrub in all # nat outgoing connections on each internet interface nat on $ext_if1 from $lan_net to any -> $gw1 nat on $ext_if2 from $lan_net to any -> $gw2 nat on $ext_if1 from $dmz_net to any -> $gw1 nat on $ext_if2 from $dmz_net to any -> $gw2 # smtp access from outside rdr on $ext_if proto tcp from any to $server_ext port smtp -> $server_dmz port smtp # default to deny block log all # pass traffic on the loopback interface in either direction pass quick on lo0 all # no RFC1819 block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets # beastie pass in on $int_if proto tcp from 172.16.0.228 to any port 22 keep state # load balancing rules pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any flags S/SA modulate statpass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $lan_net to any keep state pass in on $dmz_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $dmz_net to any flags S/SA modulate statpass in on $dmz_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $dmz_net to any keep state # general pass out pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any please help me, regards reza
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4118C330.8090609>