From owner-freebsd-pf@FreeBSD.ORG Fri Mar 21 21:46:42 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 367BB106564A for ; Fri, 21 Mar 2008 21:46:42 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 9D1FD8FC16 for ; Fri, 21 Mar 2008 21:46:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-001-036.pools.arcor-ip.net [88.66.1.36]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1Jcp4N2wnJ-0003Ln; Fri, 21 Mar 2008 22:46:39 +0100 Received: (qmail 5383 invoked from network); 21 Mar 2008 21:45:49 -0000 Received: from myhost.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 21 Mar 2008 21:45:49 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 21 Mar 2008 22:45:14 +0100 User-Agent: KMail/1.9.7 References: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0288@cetus.dawnsign.com> In-Reply-To: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0288@cetus.dawnsign.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200803212245.14894.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+Y67uCHge8uZRDorF7wUezWdbFVYmSd9/k1Vi 7F6WEIiVNVCEqE4U+zzw2gb2Uos/CBXEF5uL15klWIryAbVFzJ O21msiQVc92CPNHa1pywA== Cc: Subject: Re: Bacula File/Storage Connection Woes using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2008 21:46:42 -0000 On Friday 21 March 2008 21:59:46 Doug Sampson wrote: > I want to back up a client running packet filter. I am using Bacula to > backup this client to a Bacula server in the internal network. The > Bacula client has two interfaces- one external and one internal. The > client's internal IF is 192.168.1.25. The Bacula server is at > 192.168.1.17. > > When I attempt to contact the Bacula file daemon on the client, it > responds by sending packets to the Bacula server daemon at a different > port. It should contact the storage daemon at port 9103 but instead it > attempts to contact the storage daemon at a port address that is not > 9103. Thus the backup job fails. > > I've tried rdr to no avail. Here's my pf.conf: > > mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf use "pfctl -vvsr" instead of -nf to make sure you really get the rules=20 that are loaded and not those that you wanted to load. > ext_if =3D "rl0" > int_if =3D "xl0" > internal_net =3D "192.168.1.1/24" > external_addr =3D "xxx.xxx.xxx.xxx" > vpn_net =3D "10.8.0.0/24" > icmp_types =3D "echoreq" > NoRouteIPs =3D "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" > webserver1 =3D "192.168.1.4" > set skip on { lo0 } > set skip on { gif0 } > @0 scrub in all fragment reassemble > @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin > @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin > @3 rdr on rl0 inet proto tcp from any to xxx.xxx.xxx.xxx port =3D http -> > 192.168.1.4 port 80 > table persist > table persist > table persist file "/usr/local/etc/spamd/spamd-mywhite" > @4 rdr pass inet proto tcp from to xxx.xxx.xxx.xxx port > =3D smtp -> 127.0.0.1 port 25 > @5 rdr pass inet proto tcp from to xxx.xxx.xxx.xxx port =3D > smtp -> 127.0.0.1 port 8025 > @6 rdr pass inet proto tcp from ! to xxx.xxx.xxx.xxx > port =3D smtp -> 127.0.0.1 port 8025 > @7 block drop in log all > @8 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port =3D smtp > flags S/SA synproxy state > @9 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port =3D smtp > flags S/SA synproxy state > @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port > =3D smtp flags S/SA synproxy state > @11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 > port =3D ssh flags S/SA synproxy state > @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any > @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any > @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any > @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any > @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8 > @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16 > @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12 > @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8 > @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any > @21 block drop in log quick inet from 192.168.1.25 to any > @22 pass in on xl0 inet from 192.168.1.0/24 to any > @23 pass out log on xl0 inet from any to 192.168.1.0/24 > @24 pass out log quick on xl0 inet from any to 10.8.0.0/24 > @25 pass out on rl0 proto tcp all flags S/SA modulate state > @26 pass out on rl0 proto udp all keep state > @27 pass out on rl0 proto icmp all keep state > @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port =3D http > flags S/SA synproxy state > @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port =3D ssh > keep state > warning: macro 'icmp_types' not used > mailfilter@/usr/local/etc# > > mailfilter@~# tcpdump -n -e -ttt -i pflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), > capture size 96 bytes > 000000 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: S 3943875170:3943875170(0) ack 2725840709 win 65535 > > 005364 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 1:63(62) ack 39 win 33304 16163436[|tcp]> > 000465 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 63:80(17) ack 66 win 33304 16163436[|tcp]> > 000387 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 80:107(27) ack 125 win 33304 16163436[|tcp]> > 002063 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 107:125(18) ack 142 win 33304 16163439[|tcp]> > 002249 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 125:203(78) ack 271 win 33304 16163441[|tcp]> > 100679 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: . ack 289 win 33304 16163542[|tcp]> 000913 rule 16/0(match): pass out on xl0: > 192.168.1.25.9102 > > 192.168.1.17.54569: P 203:223(20) ack 612 win 33304 16163542[|tcp]> > 000396 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: P 223:241(18) ack 643 win 33304 16163543[|tcp]> > 099682 rule 16/0(match): pass out on xl0: 192.168.1.25.9102 > > 192.168.1.17.54569: . ack 699 win 33304 16163643[|tcp]> > > Why is the Bacula file daemon trying to contact the Bacula storage > daemon at port 54569 instead of port 9103? I'm guessing that rule 23 is > responsible for these log entries but am not sure as these entries > points to rule 16 as the matching rule. I am baffled by this as these > entries do not use 127.0.0.1 nor the rl0 interface. See above. I doubt this is a bug in pf. > What should happen is that the Bacula director daemon contacts the > client's Bacula file daemon at port 9102 from port 9101. The file > daemon on the client should contact the Bacula storage daemon at port > 9103 using port 9102 and executes the backup routine. More details at: > > http://bacula.org/en/rel-manual/Dealing_with_Firewalls.html#SECTION0047 >22000 000000000000 > > The section suggests using port forwarding to redirect packets to port > 9103 but I have been unsuccessful. Please note that there is no > firewall between the client and the server- only that the mailfilter > client runs pf. > > My Bacula config on the server works fine as it can back up LAN clients > that are not using packet filter. =46rom the rules you quote above, I don't see why pf should interfere with= =20 ports towards your internal net, but then again you might be having other=20 rules loaded than you think you are - the pflog is a strong indication. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News