Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Mar 2008 13:59:46 -0700
From:      Doug Sampson <dougs@dawnsign.com>
To:        "'freebsd-pf@freebsd.org'" <freebsd-pf@freebsd.org>
Subject:   Bacula File/Storage Connection Woes using PF
Message-ID:  <9DE6EC5B5CF8C84281AE3D7454376A0D6D0288@cetus.dawnsign.com>

next in thread | raw e-mail | index | archive | help
I want to back up a client running packet filter. I am using Bacula to
backup this client to a Bacula server in the internal network. The Bacula
client has two interfaces- one external and one internal. The client's
internal IF is 192.168.1.25. The Bacula server is at 192.168.1.17.

When I attempt to contact the Bacula file daemon on the client, it responds
by sending packets to the Bacula server daemon at a different port. It
should contact the storage daemon at port 9103 but instead it attempts to
contact the storage daemon at a port address that is not 9103. Thus the
backup job fails.

I've tried rdr to no avail. Here's my pf.conf:

mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf
ext_if = "rl0"
int_if = "xl0"
internal_net = "192.168.1.1/24"
external_addr = "xxx.xxx.xxx.xxx"
vpn_net = "10.8.0.0/24"
icmp_types = "echoreq"
NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
webserver1 = "192.168.1.4"
set skip on { lo0 }
set skip on { gif0 }
@0 scrub in all fragment reassemble
@1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
@2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin
@3 rdr on rl0 inet proto tcp from any to xxx.xxx.xxx.xxx port = http ->
192.168.1.4 port 80
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
@4 rdr pass inet proto tcp from <spamd-white:0> to xxx.xxx.xxx.xxx port =
smtp -> 127.0.0.1 port 25
@5 rdr pass inet proto tcp from <spamd:0> to xxx.xxx.xxx.xxx port = smtp ->
127.0.0.1 port 8025
@6 rdr pass inet proto tcp from ! <spamd-mywhite:0> to xxx.xxx.xxx.xxx port
= smtp -> 127.0.0.1 port 8025
@7 block drop in log all
@8 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port = smtp flags
S/SA synproxy state
@9 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port = smtp flags
S/SA synproxy state
@10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port =
smtp flags S/SA synproxy state
@11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port =
ssh flags S/SA synproxy state
@12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
@13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
@14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any
@15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
@16 block drop out log quick on rl0 inet from any to 127.0.0.0/8
@17 block drop out log quick on rl0 inet from any to 192.168.0.0/16
@18 block drop out log quick on rl0 inet from any to 172.16.0.0/12
@19 block drop out log quick on rl0 inet from any to 10.0.0.0/8
@20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
@21 block drop in log quick inet from 192.168.1.25 to any
@22 pass in on xl0 inet from 192.168.1.0/24 to any
@23 pass out log on xl0 inet from any to 192.168.1.0/24
@24 pass out log quick on xl0 inet from any to 10.8.0.0/24
@25 pass out on rl0 proto tcp all flags S/SA modulate state
@26 pass out on rl0 proto udp all keep state
@27 pass out on rl0 proto icmp all keep state
@28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags
S/SA synproxy state
@29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep
state
warning: macro 'icmp_types' not used
mailfilter@/usr/local/etc#

mailfilter@~# tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
bytes
000000 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: S 3943875170:3943875170(0) ack 2725840709 win 65535 <mss
1460,nop,wscale 1,[|tcp]>
005364 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: P 1:63(62) ack 39 win 33304 <nop,nop,timestamp
16163436[|tcp]>
000465 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: P 63:80(17) ack 66 win 33304 <nop,nop,timestamp
16163436[|tcp]>
000387 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: P 80:107(27) ack 125 win 33304 <nop,nop,timestamp
16163436[|tcp]>
002063 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: P 107:125(18) ack 142 win 33304 <nop,nop,timestamp
16163439[|tcp]>
002249 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: P 125:203(78) ack 271 win 33304 <nop,nop,timestamp
16163441[|tcp]>
100679 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: . ack 289 win 33304 <nop,nop,timestamp 16163542[|tcp]>
000913 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: P 203:223(20) ack 612 win 33304 <nop,nop,timestamp
16163542[|tcp]>
000396 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: P 223:241(18) ack 643 win 33304 <nop,nop,timestamp
16163543[|tcp]>
099682 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
192.168.1.17.54569: . ack 699 win 33304 <nop,nop,timestamp 16163643[|tcp]>

Why is the Bacula file daemon trying to contact the Bacula storage daemon at
port 54569 instead of port 9103? I'm guessing that rule 23 is responsible
for these log entries but am not sure as these entries points to rule 16 as
the matching rule. I am baffled by this as these entries do not use
127.0.0.1 nor the rl0 interface.

What should happen is that the Bacula director daemon contacts the client's
Bacula file daemon at port 9102 from port 9101. The file daemon on the
client should contact the Bacula storage daemon at port 9103 using port 9102
and executes the backup routine. More details at:

http://bacula.org/en/rel-manual/Dealing_with_Firewalls.html#SECTION004722000
000000000000

The section suggests using port forwarding to redirect packets to port 9103
but I have been unsuccessful. Please note that there is no firewall between
the client and the server- only that the mailfilter client runs pf.

My Bacula config on the server works fine as it can back up LAN clients that
are not using packet filter.

~Doug



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9DE6EC5B5CF8C84281AE3D7454376A0D6D0288>