Date: Wed, 20 Oct 2004 12:47:56 -0300 From: =?ISO-8859-1?Q?Jo=E3o_Assad?= <jfassad@parperfeito.com.br> To: isp@freebsd.org Subject: Re: problem configuring ipfilter for multiple network routing Message-ID: <417688AC.1030407@parperfeito.com.br> In-Reply-To: <417569E0.90707@parperfeito.com.br> References: <417569E0.90707@parperfeito.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
No response... So I take it its either an ipfilter or FreeBSD limitation ? Joćo Assad wrote: > Hello guys, > > I have a firewall with 3 network interfaces, 2 external (fxp1 and > fxp2) and 1 internal (fxp0) > fxp0 is connected to my private network while fxp1 and fxp2 are > connected to two different ISPs. > > Im trying to use ipfilter to route outgoing packets trough two > different interfaces and their respective gateways based on the > packet's source IP. > > My problem is that when a packet comes from 10.1.0.0/16, it is > correctly routed through the fxp2 interface and reach the > destination... but the reply packets are lost in my firewall and never > reach the sender IP from 10.1.0.0/16 network. > > packets coming from 10.0.0.0/16 work perfectly. > > You can see what Im trying to do at > http://www.bsdnews.org/01/policy_routing.php - *Example 3 - Routing > for Multiple Network* > The difference is that Im using stateful rules. > > My guess is that the reply packets coming from the destination IP do > not match the rules in the state table created by ipfilter > > a telnet to www.google.com 80 will generate this rule in the state table: > > 10.1.4.1 -> 216.239.39.99 ttl 3596 pass 0x5006 pr 6 state 4/3 > pkts 4 bytes 188 32830 -> 80 fd654c28:18ea8803 > 5840<<0:8190<<0 > pass out quick keep state IPv4 > pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 > pkt_security & ffff = 0, pkt_auth & ffff = 0 > interfaces: in fxp0,fxp2 out fxp1,fxp0 > > > Any idea on how to fix it ? ipnat and ipfilter configuration below: > > Thanks in advance. > > ----ipnat.rules: > map fxp1 10.0.0.0/16 -> a.b.c.d/32 portmap tcp/udp 1025:65000 > map fxp1 10.0.0.0/16 -> a.b.c.d/32 > > map fxp2 10.1.0.0/16 -> e.f.g.h/32 portmap tcp/udp 1025:65000 > map fxp2 10.1.0.0/16 -> e.f.g.h/32 > > > ----ipf.rules: > pass out quick on fxp1 to fxp2:fxp2_gateway from 10.1.0.0/16 to any > keep state > > block return-rst in log on fxp1 proto tcp all flags S head 100 > pass in proto tcp from any to 10.0.5.1/32 port = 25 flags S keep > state group 100 > > block out log on fxp1 all head 150 > pass out proto tcp all flags S/SA keep state group 150 > pass out proto udp all keep state group 150 > pass out proto icmp all keep state group 150 > > block return-icmp-as-dest(port-unr) in log on fxp1 proto udp all head 155 > block in proto udp from any to a.b.c.d/32 port = 137 group 155 > > block return-rst in log on fxp2 proto tcp all flags S head 200 > pass in proto tcp from any to 10.1.5.1/32 port = 25 flags S keep > state group 200 > > block out log on fxp2 all head 250 > pass out proto tcp all flags S/SA keep state group 250 > pass out proto udp all keep state group 250 > pass out proto icmp all keep state group 250 > > block return-icmp-as-dest(port-unr) in log on fxp2 proto udp all head 255 > block in proto udp from any to e.f.g.h/32 port = 137 group 255 > > pass in quick on fxp0 all > pass out quick on fxp0 all > > pass in quick on lo0 all > pass out quick on lo0 all > -- -------------------------------- - Joćo Assad - ParPerfeito Comunicaēćo LTDA - http://www.parperfeito.com.br/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?417688AC.1030407>