From owner-freebsd-pf@FreeBSD.ORG Fri Mar 21 21:22:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C42E51065670 for ; Fri, 21 Mar 2008 21:22:32 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (cetus.dawnsign.com [216.70.250.4]) by mx1.freebsd.org (Postfix) with ESMTP id 9BE718FC13 for ; Fri, 21 Mar 2008 21:22:32 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 5BECA95827 for ; Fri, 21 Mar 2008 13:59:50 -0700 (PDT) Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Fri, 21 Mar 2008 13:59:50 -0700 Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0288@cetus.dawnsign.com> From: Doug Sampson To: "'freebsd-pf@freebsd.org'" Date: Fri, 21 Mar 2008 13:59:46 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Subject: Bacula File/Storage Connection Woes using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2008 21:22:32 -0000 I want to back up a client running packet filter. I am using Bacula to backup this client to a Bacula server in the internal network. The Bacula client has two interfaces- one external and one internal. The client's internal IF is 192.168.1.25. The Bacula server is at 192.168.1.17. When I attempt to contact the Bacula file daemon on the client, it responds by sending packets to the Bacula server daemon at a different port. It should contact the storage daemon at port 9103 but instead it attempts to contact the storage daemon at a port address that is not 9103. Thus the backup job fails. I've tried rdr to no avail. Here's my pf.conf: mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf ext_if = "rl0" int_if = "xl0" internal_net = "192.168.1.1/24" external_addr = "xxx.xxx.xxx.xxx" vpn_net = "10.8.0.0/24" icmp_types = "echoreq" NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" webserver1 = "192.168.1.4" set skip on { lo0 } set skip on { gif0 } @0 scrub in all fragment reassemble @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin @3 rdr on rl0 inet proto tcp from any to xxx.xxx.xxx.xxx port = http -> 192.168.1.4 port 80 table persist table persist table persist file "/usr/local/etc/spamd/spamd-mywhite" @4 rdr pass inet proto tcp from to xxx.xxx.xxx.xxx port = smtp -> 127.0.0.1 port 25 @5 rdr pass inet proto tcp from to xxx.xxx.xxx.xxx port = smtp -> 127.0.0.1 port 8025 @6 rdr pass inet proto tcp from ! to xxx.xxx.xxx.xxx port = smtp -> 127.0.0.1 port 8025 @7 block drop in log all @8 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port = smtp flags S/SA synproxy state @9 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port = smtp flags S/SA synproxy state @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state @11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8 @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16 @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12 @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8 @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any @21 block drop in log quick inet from 192.168.1.25 to any @22 pass in on xl0 inet from 192.168.1.0/24 to any @23 pass out log on xl0 inet from any to 192.168.1.0/24 @24 pass out log quick on xl0 inet from any to 10.8.0.0/24 @25 pass out on rl0 proto tcp all flags S/SA modulate state @26 pass out on rl0 proto udp all keep state @27 pass out on rl0 proto icmp all keep state @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state warning: macro 'icmp_types' not used mailfilter@/usr/local/etc# mailfilter@~# tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 000000 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: S 3943875170:3943875170(0) ack 2725840709 win 65535 005364 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 1:63(62) ack 39 win 33304 000465 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 63:80(17) ack 66 win 33304 000387 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 80:107(27) ack 125 win 33304 002063 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 107:125(18) ack 142 win 33304 002249 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 125:203(78) ack 271 win 33304 100679 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: . ack 289 win 33304 000913 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 203:223(20) ack 612 win 33304 000396 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: P 223:241(18) ack 643 win 33304 099682 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > 192.168.1.17.54569: . ack 699 win 33304 Why is the Bacula file daemon trying to contact the Bacula storage daemon at port 54569 instead of port 9103? I'm guessing that rule 23 is responsible for these log entries but am not sure as these entries points to rule 16 as the matching rule. I am baffled by this as these entries do not use 127.0.0.1 nor the rl0 interface. What should happen is that the Bacula director daemon contacts the client's Bacula file daemon at port 9102 from port 9101. The file daemon on the client should contact the Bacula storage daemon at port 9103 using port 9102 and executes the backup routine. More details at: http://bacula.org/en/rel-manual/Dealing_with_Firewalls.html#SECTION004722000 000000000000 The section suggests using port forwarding to redirect packets to port 9103 but I have been unsuccessful. Please note that there is no firewall between the client and the server- only that the mailfilter client runs pf. My Bacula config on the server works fine as it can back up LAN clients that are not using packet filter. ~Doug