Date: Mon, 6 Jul 2009 15:35:15 +0200 From: Kim Attree <kim.attree@playsafesa.com> To: Giuliano Gavazzi <dev+lists@humph.com> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: RE: Problem with source based policy routing Message-ID: <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> In-Reply-To: <E5834FA3-2CC4-4192-9A26-0C4914B782A2@humph.com> References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> <E5834FA3-2CC4-4192-9A26-0C4914B782A2@humph.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Giuliano Gavazzi [mailto:dev+lists@humph.com] > Sent: 06 July 2009 03:13 PM > To: Kim Attree > Cc: freebsd-ipfw@freebsd.org > Subject: Re: Problem with source based policy routing >=20 >=20 > On M 6 Jul, 2009, at 10:36 , Kim Attree wrote: >=20 > > > > Hey Guys, > > > > > > > > I'm having a problem with source-based policy routing in IPFW, I'm > > trying to run a load-balanced SMTP System over two links. > > > > Primary link is re0, lets give it an ip of 192.168.1.1 > > Secondary link is re1, with an ip of 192.168.2.1 > > > > Default gateway for the box is 192.168.1.254 (so ALL outgoing > > traffic goes out of re0, unless hardcoded into the routing table for > > destinations instead) > > Default gateway for re1 is 192.168.2.254 > > > > I want re1 to be able to accept SMTP, but respond to the originating > > IP over the same link re1 (instead of the default gateway). > > With this in mind, I setup my NAT accordingly: > > > > <snip> > > port 8669 > > alias_address 192.168.2.1 > > same_ports yes > > use_sockets yes > > log_ipfw_denied yes > > redirect_port tcp 10.0.0.1:25 192.168.2.1:25 > > </snip> > > > > And the IPFW rules such: > > > > <snip> > > # NATD Statements > > add 00097 divert 8668 all from any to any via re0 > > add 00097 divert 8669 all from any to any via re1 > > >=20 > why NAT? Unless you also want to spread outgoing traffic from internal > hosts, presumably based on dest port or network, then NAT is of no use > (except the one via re0 that is presumably used for internal hosts). > Incoming packets don't need any rules as the gw 192.168.2.254 knows > how to reach your host, you only need to fwd (that is to route) your > outgoing packets according to the source. I have a similar setup (with > also 2 NATs because I do use both gateways also for natted hosts). I have one Internal Exchange server (don't laugh), and NAT handles the stat= ic mapping of IP/Port to that server. The original point here is to have tw= o mapped NAT port 25's to the same internal Mail server, hence the addition= of the NAT before and during the forward logic (obviously wrong though). =20 > The fwd rule would be very early, just after the loopback rules, > UNLESS you want to block outgoing traffic on some ports: >=20 > add 50 fwd 192.168.2.254 src-ip 192.168.2.1 not dst-ip 192.168.2.1/24 >=20 > That should do it. Because the incoming traffic traverses NAT, this wont work: 192.168.2.254 --> 192.168.2.1(NAT:25) --> 10.0.0.1:25 --> 192.168.2.1(NAT) = --> 192.168.2.254 --> World The forward ends firewall rule processing, meaning the traffic can not carr= y on outbound by my logic. > NOTE: if you also do NAT on that port (re1), then you need this also > after the corresponding nat rule. > But I urge you to distinguish between necessarily natted traffic (that > is traffic coming from internal hosts) and traffic coming from the > host itself, by using an alias on the same subnet (say 192.168.2.2) > for the natted traffic. This way you avoid natting traffic that does > not need it, and can easily distinguish between incoming traffic for > your host (192.168.2.1) and for natted hosts (192.168.2.2). >=20 >=20 > Giuliano Thanks for your assistance, any further help would be greatly appreciated != !! Kim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00265389C30B444288C246DF37651D0C37698F3933>