From owner-freebsd-pf@FreeBSD.ORG Wed Nov 9 03:22:55 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 777AB16A41F; Wed, 9 Nov 2005 03:22:55 +0000 (GMT) (envelope-from green@green.homeunix.org) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.4/8.13.1) with ESMTP id jA93MsfJ004031; Tue, 8 Nov 2005 22:22:54 -0500 (EST) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.4/8.13.1/Submit) id jA93MrQD004030; Tue, 8 Nov 2005 22:22:53 -0500 (EST) (envelope-from green) Date: Tue, 8 Nov 2005 22:22:52 -0500 From: Brian Fundakowski Feldman To: Marko Cuk Message-ID: <20051109032252.GN37350@green.homeunix.org> References: <436FDC90.3020108@cuk.nu> <4370AA76.8000309@cuk.nu> <20051108171544.GI37350@green.homeunix.org> <200511081946.19860.max@love2party.net> <43715469.9030505@cuk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43715469.9030505@cuk.nu> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: Tun and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2005 03:22:55 -0000 On Wed, Nov 09, 2005 at 02:44:09AM +0100, Marko Cuk wrote: > Max, tnx for explanation and others to help. > > Second thing is route-to routing capability of pf. > I have one dual homed firewall and the configuration is very > complicated, because I must have two NAT's ( certain subnets through one > ISP, certain through another ) , routing, filtering, ALTQ, ... > The firewall has one default route and that NAT, which is on default > route, works ok. The problem is NAT on another ISP, which works, but the > packet ( translated from RFC1918 to public IP ) is sent through DEFAULT > route instead on the ISP2's default gateway ( next hop ). > > I have solved it like that: > em0 is default ISP and has default route, em1 is ISP2 > pass out on em0 route-to (em1 x.x.x.1.) from x.x.x.2 to any > > but still it won't "catch" all packets and tcpdumping em0 show me, that > on em0 i get outgoing x.x.x.2 IP's ... The reply comes on em1 , that's ok. > > I have managed it with ipf, like that: > pass out quick on em0 to em1:x.x.x.1 from x.x.x.2 to any > > but I still don't like to have 2 packet filters on host... > > Does anyone have a clue for that ? I can't catch the packet on internal > interface, because there is RFC1918 IP ( 192.168.x.x ) and if I route-to > it, it will "bypass" NAT and that not ok :) . If I do NAT and catch it > on outer interface, there are some packets "leaking" through on default > route. > Anyone with that setup here ? I can show you my setup -- it won't apply directly as I use IPFW, but it should give you an idea of how it can be done. /etc/hosts: 66.92.150.152 extip1 66.92.150.217 extip2 /etc/rc.conf: network_interfaces="lo0 xl0 dc0" ifconfig_xl0="inet extip1 netmask 255.255.255.0" ifconfig_xl0_alias0="inet extip2 netmask 255.255.255.0" ifconfig_dc0="inet 10.0.0.1 netmask 255.255.0.0" defaultrouter="66.92.150.1" ppp_enable="NO" ppp_mode="dedicated" ppp_profile="t-mobile" ppp_user="green" natd1_enable="YES" natd1_flags="-port 8668 -alias_address extip1 -redirect_port tcp macintosh:6882 6882 -use_sockets -same_ports" natd2_enable="YES" natd2_flags="-port 8669 -alias_address extip2 -use_sockets -same_ports" pf_only_altq="YES" pf_enable="YES" firewall_enable="YES" firewall_type="/etc/firewall-altq" /etc/pf.conf: altq on xl0 cbq bandwidth 650Kb queue { \ local, \ my_nat, \ not_my_nat \ } queue local bandwidth 25% priority 7 cbq(borrow) { \ local_int_ssh, \ local_fasts, \ local_rest \ } queue local_int_ssh priority 7 bandwidth 40% qlimit 20 cbq(borrow) queue local_fasts priority 4 bandwidth 20% qlimit 20 cbq(borrow) { \ local_fast, \ local_faster \ } queue local_fast bandwidth 50% priority 1 qlimit 20 cbq(borrow) queue local_faster bandwidth 50% priority 7 qlimit 20 cbq(borrow) queue local_rest priority 1 bandwidth 40% cbq(borrow) { \ local_ssh, \ local_surf, \ local_def \ } queue local_surf bandwidth 25% priority 7 qlimit 20 cbq(borrow) queue local_ssh bandwidth 50% priority 4 qlimit 20 cbq(borrow) queue local_def bandwidth 25% priority 1 qlimit 20 cbq(borrow default) queue my_nat bandwidth 25% priority 4 cbq(borrow) { \ my_nat_int_ssh, \ my_nat_fasts, \ my_nat_rest \ } queue my_nat_int_ssh priority 7 bandwidth 40% qlimit 20 cbq(borrow) queue my_nat_fasts priority 4 bandwidth 20% qlimit 20 cbq(borrow) { \ my_nat_fast, \ my_nat_faster \ } queue my_nat_fast bandwidth 50% priority 1 qlimit 20 cbq(borrow) queue my_nat_faster bandwidth 50% priority 7 qlimit 20 cbq(borrow) queue my_nat_rest priority 1 bandwidth 40% cbq(borrow) { \ my_nat_ssh, \ my_nat_surf, \ my_nat_def \ } queue my_nat_surf bandwidth 25% priority 7 qlimit 20 cbq(borrow) queue my_nat_ssh bandwidth 50% priority 4 qlimit 20 cbq(borrow) queue my_nat_def bandwidth 25% priority 1 qlimit 20 cbq(borrow) queue not_my_nat bandwidth 50% priority 1 cbq(borrow) { \ nat_fast, \ nat_def \ } queue nat_fast bandwidth 50% priority 7 qlimit 20 cbq(borrow) queue nat_def bandwidth 50% priority 1 qlimit 20 cbq(borrow) /etc/firewall-altq: # Enable one_pass optimization (no dummynet used). enable one_pass # Turn ALTQ off. disable altq # Make all unknown traffic natd reinserts start after the divert section. add skipto 1000 ip from any to any diverted # Divert non-locally-generated egress and all ingress traffic to natd. add divert 8668 ip from macintosh to not 10.0/8 out via xl0 add divert 8668 ip from not 10.0/8 to extip1 in via xl0 add divert 8669 ip from 10.0/8 to not 10.0/8 out via xl0 add divert 8669 ip from not 10.0/8 to extip2 in via xl0 # Explicitly deny private addresses to/from the world. add 1000 deny log ip from any to 10.0/8 in via xl0 not diverted-loopback add deny log ip from 10.0/8 to any out via xl0 add allow ip from 10.0/8 to not 10.0/8 in via dc0 add allow ip from not 10.0/8 to 10.0/8 in via xl0 diverted-loopback add allow ip from not 10.0/8 to 10.0/8 out via dc0 # Respect the loopback net. add allow ip from any to any via lo0 add deny log ip from any to 127.0.0.0/8 add deny log ip from 127.0.0.0/8 to any # Deny+log interesting local services from the outside world. add deny log tcp from any to any 25,137,138,139,445,631 setup in via xl0 add deny log udp from any to any 53,137,138,139 in via xl0 # ALTQ classification: # All ALTQ overrides that need to ignore state. They are not passed or # dropped here, but simply given a tag. Multiple tags result in the first # one being used by ALTQ. # # NAT'd egress traffic: # My NAT'd interactive SSH. add count altq my_nat_int_ssh tcp from extip1 to any 22 iptos lowdelay out diverted-output # My NAT'd TCP ack w/o data, TCP setup, IPTOS_LOWDELAY: add count altq my_nat_faster tcp from extip1 to any setup diverted-output add count altq my_nat_fast ip from extip1 to any iptos lowdelay diverted-output add count altq my_nat_fast tcp from extip1 to any tcpflags ack tcpdatalen 0 diverted-output # Their NAT'd TCP ack w/o data, TCP setup, IPTOS_LOWDELAY: add count altq nat_fast ip from extip2 to any iptos lowdelay diverted-output add count altq nat_fast tcp from extip2 to any setup diverted-output add count altq nat_fast tcp from extip2 to any tcpflags ack tcpdatalen 0 diverted-output # Interactive SSH: add count altq local_int_ssh tcp from any 22 to any iptos lowdelay out add count altq local_int_ssh tcp from any to any 22 iptos lowdelay out # TCP ack w/o data, TCP setup, IPTOS_LOWDELAY: add count altq local_faster tcp from any to any setup out add count altq local_fast ip from any to any iptos lowdelay out add count altq local_fast tcp from any to any tcpflags ack tcpdatalen 0 out # Cut-off point: now we account for state. add check-state # # Services allowed internally: add allow tcp from any to any 22,80,113,123,139,443,445,8080,8443,88,749 setup keep-state in via dc0 add allow udp from any to any 53,68,137,138,88,464 keep-state in via dc0 # # Chat: add allow altq my_nat_fast tcp from extip1 to any 5190-5193,6666-6667 setup keep-state diverted-output # My non-interactive SSH: add allow altq my_nat_ssh tcp from extip1 to any 22 setup keep-state diverted-output # My web surfing: add allow altq my_nat_surf tcp from extip1 to any dst-port 80,443,8080,8443 setup keep-state out # My NAT'd default: add allow altq my_nat_def icmp from extip1 to any diverted-output add allow altq my_nat_def tcp from extip1 to any diverted-output add allow altq my_nat_def udp from extip1 to any diverted-output # NAT'd default: add allow altq nat_def icmp from any to any diverted-output add allow altq nat_def tcp from any to any diverted-output add allow altq nat_def udp from any to any diverted-output # locally-generated egress traffic: # DNS, NTP: add allow altq local_fast udp from any to any 53,123 keep-state # Chat: add allow altq local_fast tcp from any to any 5190-5193,6666-6667 setup keep-state out # Non-interactive SSH: add allow altq local_ssh tcp from any to any 22 setup keep-state out add allow altq local_ssh tcp from any to any 22 setup keep-state in # Web surfing: add allow altq local_surf tcp from any to any dst-port 80,443,8080,8443 setup keep-state out # Services allowed inbound: add allow altq local_fast tcp from any to any 113 setup keep-state in add allow altq local_def tcp from any to any 22,80,113,443,5432,6881-6980,8080,8443 setup keep-state in # default: add allow altq local_def icmp from any to any add allow altq local_def tcp from any to any setup keep-state out add allow altq local_def udp from any to any keep-state out # Turn ALTQ back on. enable altq -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\