Date: Tue, 9 Nov 2004 14:13:34 +0100 From: =?iso-8859-2?Q?=A3ukasz?= Dudek <mocart@pinco.pl> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pf multipath nat Message-ID: <20041109131334.GA63180@dorbja.pinco.pl> In-Reply-To: <200411081621.46313.max@love2party.net> References: <20041108143059.GA54873@dorbja.pinco.pl> <200411081621.46313.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Dnia Pon, Lis 08, 2004 o godzinie 04:21:39 +0100, Max Laier napisał(a):
> On Monday 08 November 2004 15:30, Łukasz Dudek wrote:
> > i've tried to configure multipath nat using RELENG_5 box
> > (when it was current and now when it became stable)
> >
> > this are simplified rules schema i've been using
# Macros: define common values, so they can be referenced and changed easily.
ext_if="fxp0"
ext_if2="fxp2"
int_if="fxp1" # replace with actual internal interface name i.e., dc1
internal_net="192.168.0.1/23"
external_addr="10.53.28.234"
gateway="10.53.28.233"
gateway2="10.10.8.1"
scrub in all
nat on $ext_if from $internal_net to any -> ($ext_if)
nat on $ext_if2 from $internal_net to any -> ($ext_if2)
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 1100 -> 192.168.0.2 port 1100
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 1101 -> 192.168.0.2 port 1101
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4664 -> 192.168.0.2 port 4664
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4666 -> 192.168.0.4 port 4666
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4670 -> 192.168.1.4 port 4670
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
no rdr on { lo0, lo1 } from any to any
pass in all
pass out all
block in all
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
pass in on $ext_if2 inet proto tcp from any to $ext_if2 user proxy keep state
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass in on $ext_if proto tcp from any to $ext_if port 25 keep state
pass in on $ext_if proto tcp from any to $ext_if port 80 keep state
pass in on $ext_if proto tcp from any to $ext_if port 110 keep state
pass in on $ext_if proto tcp from any to $ext_if port 443 keep state
pass in on $ext_if proto tcp from any to $ext_if port 465 keep state
pass in on $ext_if proto tcp from any to $ext_if port 995 keep state
pass in on $ext_if proto udp from any to $ext_if port 53 keep state
pass out on $ext_if proto { tcp, udp, icmp } all keep state
pass out on $ext_if2 proto { tcp, udp, icmp } all keep state
pass in quick on $int_if proto udp from $internal_net to 192.168.0.1 port 53 keep state
pass in on $int_if proto { tcp, udp, icmp } all keep state
pass out on $int_if proto { tcp, udp, icmp } all keep state
pass in on lo0 proto { tcp, udp, icmp } all keep state
pass out on lo0 proto { tcp, udp, icmp } all keep state
pass in on $int_if \
route-to { ( $ext_if $gateway), ( $ext_if2 $gateway2 ) } round-robin \
from $internal_net to any keep state
pass out on $ext_if2 route-to ($ext_if $gateway) from $ext_if to any
pass out on $ext_if route-to ($ext_if2 $gateway2) from $ext_if2 to any
>
>
> Are you *sure* that you had debug.mpsafenet=0 in the end? You know that it is
> only changeable during the loader and *not* in the live system?
>
yes i'm sure /boot/loader.conf is a place where i keep such tunables.
Regards,
Lukasz Dudek
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041109131334.GA63180>