Date: Fri, 21 Mar 2008 22:45:14 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: Bacula File/Storage Connection Woes using PF Message-ID: <200803212245.14894.max@love2party.net> In-Reply-To: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0288@cetus.dawnsign.com> References: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0288@cetus.dawnsign.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 21 March 2008 21:59:46 Doug Sampson wrote:
> I want to back up a client running packet filter. I am using Bacula to
> backup this client to a Bacula server in the internal network. The
> Bacula client has two interfaces- one external and one internal. The
> client's internal IF is 192.168.1.25. The Bacula server is at
> 192.168.1.17.
>
> When I attempt to contact the Bacula file daemon on the client, it
> responds by sending packets to the Bacula server daemon at a different
> port. It should contact the storage daemon at port 9103 but instead it
> attempts to contact the storage daemon at a port address that is not
> 9103. Thus the backup job fails.
>
> I've tried rdr to no avail. Here's my pf.conf:
>
> mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf
use "pfctl -vvsr" instead of -nf to make sure you really get the rules=20
that are loaded and not those that you wanted to load.
> ext_if =3D "rl0"
> int_if =3D "xl0"
> internal_net =3D "192.168.1.1/24"
> external_addr =3D "xxx.xxx.xxx.xxx"
> vpn_net =3D "10.8.0.0/24"
> icmp_types =3D "echoreq"
> NoRouteIPs =3D "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
> webserver1 =3D "192.168.1.4"
> set skip on { lo0 }
> set skip on { gif0 }
> @0 scrub in all fragment reassemble
> @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
> @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin
> @3 rdr on rl0 inet proto tcp from any to xxx.xxx.xxx.xxx port =3D http ->
> 192.168.1.4 port 80
> table <spamd> persist
> table <spamd-white> persist
> table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
> @4 rdr pass inet proto tcp from <spamd-white:0> to xxx.xxx.xxx.xxx port
> =3D smtp -> 127.0.0.1 port 25
> @5 rdr pass inet proto tcp from <spamd:0> to xxx.xxx.xxx.xxx port =3D
> smtp -> 127.0.0.1 port 8025
> @6 rdr pass inet proto tcp from ! <spamd-mywhite:0> to xxx.xxx.xxx.xxx
> port =3D smtp -> 127.0.0.1 port 8025
> @7 block drop in log all
> @8 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port =3D smtp
> flags S/SA synproxy state
> @9 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port =3D smtp
> flags S/SA synproxy state
> @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port
> =3D smtp flags S/SA synproxy state
> @11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25
> port =3D ssh flags S/SA synproxy state
> @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
> @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
> @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any
> @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
> @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8
> @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16
> @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12
> @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8
> @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
> @21 block drop in log quick inet from 192.168.1.25 to any
> @22 pass in on xl0 inet from 192.168.1.0/24 to any
> @23 pass out log on xl0 inet from any to 192.168.1.0/24
> @24 pass out log quick on xl0 inet from any to 10.8.0.0/24
> @25 pass out on rl0 proto tcp all flags S/SA modulate state
> @26 pass out on rl0 proto udp all keep state
> @27 pass out on rl0 proto icmp all keep state
> @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port =3D http
> flags S/SA synproxy state
> @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port =3D ssh
> keep state
> warning: macro 'icmp_types' not used
> mailfilter@/usr/local/etc#
>
> mailfilter@~# tcpdump -n -e -ttt -i pflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode listening on pflog0, link-type PFLOG (OpenBSD pflog file),
> capture size 96 bytes
> 000000 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
> 192.168.1.17.54569: S 3943875170:3943875170(0) ack 2725840709 win 65535
> <mss 1460,nop,wscale 1,[|tcp]>
> 005364 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
> 192.168.1.17.54569: P 1:63(62) ack 39 win 33304 <nop,nop,timestamp
> 16163436[|tcp]>
> 000465 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
> 192.168.1.17.54569: P 63:80(17) ack 66 win 33304 <nop,nop,timestamp
> 16163436[|tcp]>
> 000387 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
> 192.168.1.17.54569: P 80:107(27) ack 125 win 33304 <nop,nop,timestamp
> 16163436[|tcp]>
> 002063 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
> 192.168.1.17.54569: P 107:125(18) ack 142 win 33304 <nop,nop,timestamp
> 16163439[|tcp]>
> 002249 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
> 192.168.1.17.54569: P 125:203(78) ack 271 win 33304 <nop,nop,timestamp
> 16163441[|tcp]>
> 100679 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
> 192.168.1.17.54569: . ack 289 win 33304 <nop,nop,timestamp
> 16163542[|tcp]> 000913 rule 16/0(match): pass out on xl0:
> 192.168.1.25.9102 >
> 192.168.1.17.54569: P 203:223(20) ack 612 win 33304 <nop,nop,timestamp
> 16163542[|tcp]>
> 000396 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
> 192.168.1.17.54569: P 223:241(18) ack 643 win 33304 <nop,nop,timestamp
> 16163543[|tcp]>
> 099682 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 >
> 192.168.1.17.54569: . ack 699 win 33304 <nop,nop,timestamp
> 16163643[|tcp]>
>
> Why is the Bacula file daemon trying to contact the Bacula storage
> daemon at port 54569 instead of port 9103? I'm guessing that rule 23 is
> responsible for these log entries but am not sure as these entries
> points to rule 16 as the matching rule. I am baffled by this as these
> entries do not use 127.0.0.1 nor the rl0 interface.
See above. I doubt this is a bug in pf.
> What should happen is that the Bacula director daemon contacts the
> client's Bacula file daemon at port 9102 from port 9101. The file
> daemon on the client should contact the Bacula storage daemon at port
> 9103 using port 9102 and executes the backup routine. More details at:
>
> http://bacula.org/en/rel-manual/Dealing_with_Firewalls.html#SECTION0047
>22000 000000000000
>
> The section suggests using port forwarding to redirect packets to port
> 9103 but I have been unsuccessful. Please note that there is no
> firewall between the client and the server- only that the mailfilter
> client runs pf.
>
> My Bacula config on the server works fine as it can back up LAN clients
> that are not using packet filter.
=46rom the rules you quote above, I don't see why pf should interfere with=
=20
ports towards your internal net, but then again you might be having other=20
rules loaded than you think you are - the pflog is a strong indication.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803212245.14894.max>