From owner-freebsd-net@FreeBSD.ORG Tue Aug 10 13:09:06 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE21616A4CE for ; Tue, 10 Aug 2004 13:09:06 +0000 (GMT) Received: from mx3.mra.co.id (mx3.mra.co.id [202.138.254.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E31643D39 for ; Tue, 10 Aug 2004 13:08:38 +0000 (GMT) (envelope-from reza@mra.co.id) Received: from localhost (localhost.mra.co.id [127.0.0.1]) by mx3.mra.co.id (Postfix) with ESMTP id C0ADE2E4E3 for ; Tue, 10 Aug 2004 20:08:35 +0700 (WIT) Received: from mx3.mra.co.id ([127.0.0.1]) by localhost (mx3.mra.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 98524-19 for ; Tue, 10 Aug 2004 20:08:35 +0700 (WIT) Received: from mail.mra.co.id (unknown [172.16.0.25]) by mx3.mra.co.id (Postfix) with ESMTP id B56882E4AB for ; Tue, 10 Aug 2004 20:08:34 +0700 (WIT) Received: from mra.co.id ([172.16.0.228]) by mail.mra.co.id with Microsoft SMTPSVC(5.0.2195.3779); Tue, 10 Aug 2004 19:41:55 +0700 Message-ID: <4118C330.8090609@mra.co.id> Date: Tue, 10 Aug 2004 19:44:32 +0700 From: Muhammad Reza User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040429 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <411722A1.1020108@mra.co.id> <200408091840.53308.max@love2party.net> In-Reply-To: <200408091840.53308.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 10 Aug 2004 12:41:55.0096 (UTC) FILETIME=[6AF89180:01C47ED7] X-Virus-Scanned: by amavisd-new at mra.co.id cc: freebsd-net@freebsd.org cc: pf4freebsd@freelists.org Subject: Re: pf and ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 13:09:06 -0000 Max Laier wrote: >On Monday 09 August 2004 09:07, Muhammad Reza wrote: > > >>Dear Lists, >> >>can pf rule work together with ipfw rules ? >>i need pf rule to do some outgoing load balance, but still need ipfw to >>do some basic packet filtering, cause i have difficulty to set pf rules >>default to block if it's apply with load balancing rules. >>please enlight me.. >> >> > >While it is possible to use pf and ipfw in conjunction, it is certainly >preferable to settle for either one on its own. It should not be too much of >a problem to get pf to do what you want/need. If you have more specific >questions you can post to pf4freebsd@freelists.org > > > dear lists thank for the great repsonse, i'm new with pf , I have problem make pf redirect rule forwarding from net to my dmz internal server, Maybe the problem is, because i have load balancing outgoing connection rule, that must have no default gateway. If I apply default gateway, redirect rule work good, but no load balancing at all. this is my rules; #macros lan_net = "172.16.0.0/16" dmz_net = "10.10.10.0/24" int_if = "xl0" dmz_if = "rl3" ext_if1 = "rl0" ext_if2 = "rl1" ext_if = "{" $ext_if1 $ext_if2 "}" gw1 = "202.xxx.254.3" gw2 = "202.xxx.255.170" ext_gw1 = "202.xxx.254.1" ext_gw2 = "202.xxx.255.169" server_dmz = "10.10.10.2/32" server_ext = "202.xxx.254.4/32" priv_nets = "{127.0.0.1/8 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12}" # scrub incoming packets scrub in all # nat outgoing connections on each internet interface nat on $ext_if1 from $lan_net to any -> $gw1 nat on $ext_if2 from $lan_net to any -> $gw2 nat on $ext_if1 from $dmz_net to any -> $gw1 nat on $ext_if2 from $dmz_net to any -> $gw2 # smtp access from outside rdr on $ext_if proto tcp from any to $server_ext port smtp -> $server_dmz port smtp # default to deny block log all # pass traffic on the loopback interface in either direction pass quick on lo0 all # no RFC1819 block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets # beastie pass in on $int_if proto tcp from 172.16.0.228 to any port 22 keep state # load balancing rules pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any flags S/SA modulate statpass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $lan_net to any keep state pass in on $dmz_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $dmz_net to any flags S/SA modulate statpass in on $dmz_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $dmz_net to any keep state # general pass out pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any please help me, regards reza