Date: Wed, 9 Feb 2011 19:54:09 -0500 From: Maxim Khitrov <max@mxcrypt.com> To: Da Rock <freebsd-questions@herveybayaustralia.com.au> Cc: freebsd-questions@freebsd.org Subject: Re: pf, binat, rdr, and one ip Message-ID: <AANLkTimJrdwga8qC=v7AK0_Z5yFf6bhM9HDDb%2Bmgn-iD@mail.gmail.com> In-Reply-To: <4D5333E4.7070800@herveybayaustralia.com.au> References: <4D515148.3000009@herveybayaustralia.com.au> <20110208151849.GC3267@catflap.slightlystrange.org> <4D51CD05.8040003@herveybayaustralia.com.au> <20110209111646.GD3267@catflap.slightlystrange.org> <4D527BAC.3080805@herveybayaustralia.com.au> <AANLkTinPzyx%2BfwzOJpwn634jScsQ7SbRada4A9=5oVNs@mail.gmail.com> <4D5333E4.7070800@herveybayaustralia.com.au>
index | next in thread | previous in thread | raw e-mail
On Wed, Feb 9, 2011 at 7:40 PM, Da Rock <freebsd-questions@herveybayaustralia.com.au> wrote: > On 02/09/11 22:38, Maxim Khitrov wrote: >> >> On Wed, Feb 9, 2011 at 6:34 AM, Da Rock >> <freebsd-questions@herveybayaustralia.com.au> wrote: >> >>> >>> On 02/09/11 21:16, Daniel Bye wrote: >>> >>>> >>>> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote: >>>> >>>> >>>>> >>>>> On 02/09/11 01:18, Daniel Bye wrote: >>>>> >>>>> >>>>>> >>>>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote: >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> A very quick question. >>>>>>> >>>>>>> PF firewall. One static public IP. About 6 servers on the internal >>>>>>> network (dmz). One server binat in the pf.conf, the rest redirected. >>>>>>> >>>>>>> Possible? Or would it die in the hole? >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> I guess you're concerned about performance and resource usage? If so, >>>>>> this >>>>>> may be helpful. >>>>>> >>>>>> http://www.openbsd.org/faq/pf/perf.html >>>>>> >>>>>> Dan >>>>>> >>>>>> >>>>>> >>>>> >>>>> Useful info to have, thanks. But no, I'm interested in if the binatting >>>>> will interfere with the rdr's (or vice versa). >>>>> >>>>> >>>> >>>> Ah, I see. I don't know, is the straight answer - I've never needed to >>>> use >>>> both together. A bit of idle googling seems to suggest it's possible, >>>> but >>>> I don't have time right now to dig any deeper. >>>> >>>> >>> >>> Thats exactly what I got too. Nothing definitive to go on. Apparently not >>> a >>> very common arrangement. It *seems* to be working, but there are some >>> weird >>> quirks I can't quite account for. Hence the question to the guys who'd >>> know... :) >>> >> >> According to pf.conf(5): >> >> Evaluation order of the translation rules is dependent on the type of >> the >> translation rules and of the direction of a packet. binat rules are >> always evaluated first. Then either the rdr rules are evaluated on >> an >> inbound packet or the nat rules on an outbound packet. Rules of the >> same >> type are evaluated in the same order in which they appear in the >> ruleset. >> The first matching rule decides what action is taken. >> >> The way I interpret this is that when an outside client tries to >> establish a connection to one of your servers, the rdr rules will >> never be evaluated, since the only public IP is translated with binat. >> Outgoing connections shouldn't have a problem, since binat will only >> match one local IP address and the others can be translated with nat >> rules. >> > > Allow me to prefix my comments with the fact that that is not what appears > to be happening. > > I read that as well, but my reading between the lines was that it is the > _rules_ that are evaluated. So if I have a block all policy and then open up > what I need, then only the _ports_ specified for that binat machine are > passed- the rest continue for further evaluation: the rdr rules are then > assessed and the packets are passed accordingly. > > What I see works mostly; I have a binat machine for voip (asterisk), and the > rest of the jumble gets passed to the rdr's or get blocked. However, where I > come unstuck (and this is why I recreated my firewall rules) is I still > can't get outgoing calls to my voip provider. It still eludes me... So I'm > not sure if I'm 100% right or not. > > Hence my dilemma... I did get outgoing calls to work somewhere when my > firewall rules were still not quite working, but I couldn't ring in! I have > used an ata and tried to figure out what I'm missing, but I still haven't > got it figured yet. > > But I digress. At the time when I started this thread I was having some odd > issues with my rdr servers, but now they appear to be working as they should > (after some blood sweat and tears), fingers crossed. So what I will do now > is finish this problem and get the voip working (which may or may not be a > firewall problem), and then see whether it all works as beautifully as it > should; then I will report back on this thread and let people know the > outcome. > Are you using binat specifically for voip or is there some other reason? I used to run a voip appliance behind m0n0wall (FreeBSD 6) using regular nat and port forwarding without any problems. I'm not familiar with asterisk, but I assume there is a way to restrict the port range that is used for incoming and outgoing connections. Binat shouldn't be needed for this if that's your only reason for going that route. - Maxhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimJrdwga8qC=v7AK0_Z5yFf6bhM9HDDb%2Bmgn-iD>