From owner-freebsd-isp@FreeBSD.ORG Wed Oct 20 15:48:04 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 645AF16A4CE for ; Wed, 20 Oct 2004 15:48:04 +0000 (GMT) Received: from mail.parperfeito.com.br (host-84.c8b96a.parperfeito.com.br [200.185.106.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC6C443D1D for ; Wed, 20 Oct 2004 15:48:03 +0000 (GMT) (envelope-from jfassad@parperfeito.com.br) Received: from [127.0.0.1] (unknown [192.168.4.2]) by mail.parperfeito.com.br (Postfix) with ESMTP id D92FF5DC26A for ; Wed, 20 Oct 2004 12:47:58 -0300 (GMT+3) Message-ID: <417688AC.1030407@parperfeito.com.br> Date: Wed, 20 Oct 2004 12:47:56 -0300 From: =?ISO-8859-1?Q?Jo=E3o_Assad?= User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: isp@freebsd.org References: <417569E0.90707@parperfeito.com.br> In-Reply-To: <417569E0.90707@parperfeito.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: problem configuring ipfilter for multiple network routing X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 15:48:04 -0000 No response... So I take it its either an ipfilter or FreeBSD limitation ? Joćo Assad wrote: > Hello guys, > > I have a firewall with 3 network interfaces, 2 external (fxp1 and > fxp2) and 1 internal (fxp0) > fxp0 is connected to my private network while fxp1 and fxp2 are > connected to two different ISPs. > > Im trying to use ipfilter to route outgoing packets trough two > different interfaces and their respective gateways based on the > packet's source IP. > > My problem is that when a packet comes from 10.1.0.0/16, it is > correctly routed through the fxp2 interface and reach the > destination... but the reply packets are lost in my firewall and never > reach the sender IP from 10.1.0.0/16 network. > > packets coming from 10.0.0.0/16 work perfectly. > > You can see what Im trying to do at > http://www.bsdnews.org/01/policy_routing.php - *Example 3 - Routing > for Multiple Network* > The difference is that Im using stateful rules. > > My guess is that the reply packets coming from the destination IP do > not match the rules in the state table created by ipfilter > > a telnet to www.google.com 80 will generate this rule in the state table: > > 10.1.4.1 -> 216.239.39.99 ttl 3596 pass 0x5006 pr 6 state 4/3 > pkts 4 bytes 188 32830 -> 80 fd654c28:18ea8803 > 5840<<0:8190<<0 > pass out quick keep state IPv4 > pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 > pkt_security & ffff = 0, pkt_auth & ffff = 0 > interfaces: in fxp0,fxp2 out fxp1,fxp0 > > > Any idea on how to fix it ? ipnat and ipfilter configuration below: > > Thanks in advance. > > ----ipnat.rules: > map fxp1 10.0.0.0/16 -> a.b.c.d/32 portmap tcp/udp 1025:65000 > map fxp1 10.0.0.0/16 -> a.b.c.d/32 > > map fxp2 10.1.0.0/16 -> e.f.g.h/32 portmap tcp/udp 1025:65000 > map fxp2 10.1.0.0/16 -> e.f.g.h/32 > > > ----ipf.rules: > pass out quick on fxp1 to fxp2:fxp2_gateway from 10.1.0.0/16 to any > keep state > > block return-rst in log on fxp1 proto tcp all flags S head 100 > pass in proto tcp from any to 10.0.5.1/32 port = 25 flags S keep > state group 100 > > block out log on fxp1 all head 150 > pass out proto tcp all flags S/SA keep state group 150 > pass out proto udp all keep state group 150 > pass out proto icmp all keep state group 150 > > block return-icmp-as-dest(port-unr) in log on fxp1 proto udp all head 155 > block in proto udp from any to a.b.c.d/32 port = 137 group 155 > > block return-rst in log on fxp2 proto tcp all flags S head 200 > pass in proto tcp from any to 10.1.5.1/32 port = 25 flags S keep > state group 200 > > block out log on fxp2 all head 250 > pass out proto tcp all flags S/SA keep state group 250 > pass out proto udp all keep state group 250 > pass out proto icmp all keep state group 250 > > block return-icmp-as-dest(port-unr) in log on fxp2 proto udp all head 255 > block in proto udp from any to e.f.g.h/32 port = 137 group 255 > > pass in quick on fxp0 all > pass out quick on fxp0 all > > pass in quick on lo0 all > pass out quick on lo0 all > -- -------------------------------- - Joćo Assad - ParPerfeito Comunicaēćo LTDA - http://www.parperfeito.com.br/