DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th September 2008
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Red face PF NAT and 2 external nic´s

Hi!

Im soon having another connection with static IP (from university) which has daily restrictions about the amount of transferred data. I also have this DSL connection with DHCP. I started to think that i would like to route/redirect some bandwidth eating ports from lan computers to use DSL. This also offers me a chance to "learn" some PF more. I planned that my DSL ext would be BFE0 and the STATIC one would be DC0.

oh and the ports i want to put through DSL are all the ports i have defined for LAN machines below.

edit: (coming to think of it second scenario would be that all other traffic goes thru DSL except http and port 28960 from LAN. Actually this is much straightforward too.)

here is my config now.

Code:
ext_if1="bfe0"  # Ulkoverkon kortti (DSL)
ext_if2="dc0"   # Ulkoverkon kortti (Static)
int_if="xl0"   # Sisäverkon kortti
# Macros
lahiverkko = $int_if:network
icmp_types = "{ 0, 3, 11 }"
#LAN machine 1 (pate)
pate = "{ 192.168.0.2 }"
patetcp = "{ 1412, 49995, 61027 }"      #TCP portit, erottele pilkulla, jotka ohjataan koneelle (pate)
pateudp = "{ 1412, 49995, 61027 }"      #UDP portit,  -   "  -

#LAN machine 2 (texina)
texina = "{ 192.168.0.3 }"
texinatcp = "{ 1414, 2412, 8085, 50200 }"       #TCP portit
texinaudp = "{ 1414, 2412 }"                    #UDP portit

#tablet
table <nonroutable> persist { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12,10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,192.0.2.0/24, 204.152.64.0/23, \
224.0.0.0/3,255.255.255.255/32 }

# options
set block-policy return
set optimization aggressive
set loginterface $ext_if1
set skip on lo0
set skip on xl0
# scrub , Järjestele ja tarkista kaikki paketit sisään
scrub in all

# Queue. Mahdolliset siirtorajoitukset ja liikenteen priorisoinnit.
#altq on $ext_if bandwidth 848Kb hfsc queue { ack, dns, dflt }
#   queue ack        bandwidth 60% priority 7 hfsc (realtime 50%)
#   queue dns        bandwidth 10% priority 6 hfsc (realtime 5%)
#   queue dflt       bandwidth 30% priority 2 qlimit 100 hfsc (realtime 25% default)
# Testaus Primary Queue
#altq on $ext_if priq bandwidth 828Kb queue { ack, dns, dflt }
#    queue ack priority 7
#    queue dns priority 5
#    queue dflt priority 2 priq(default)
#
# Nat ja Uudelleenohjaukset (Hoidettu ylempänä makroilla, ei tarvitse välttämättä vaihtaa alempia)
nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
rdr pass on $ext_if1 proto tcp from any to any port $patetcp -> $pate
rdr pass on $ext_if1 proto udp from any to any port $pateudp  -> $pate
rdr pass on $ext_if1 proto tcp from any to any port $texinatcp  -> $texina
rdr pass on $ext_if1 proto udp from any to any port $texinaudp  -> $texina

# rules
block in log all
block out on $ext_if1 from any to <nonroutable>
block in log quick on $ext_if1 from <nonroutable> to any
#pass quick on $int_if from $int_if:network to $int_if:network
pass out quick on $ext_if1 proto udp from ($ext_if1) to any port 53 keep state queue ( dns )
pass out on $ext_if1 from ($ext_if1) keep state queue ( dflt , ack )
antispoof quick for { lo0 $int_if }

# pass in rules
pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 80 keep state
pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 22 keep state
pass in on $int_if from $int_if:network to any
#pass out on $int_if from any to $int_if:network
It´s not necessary to use queueing (Ment for DSL) if it even is possible or brings some extra difficulties to the thing :-)

I also tried to understand this (found with google)
http://osdir.com/ml/os.openbsd.pf/2004-07/msg00092.html
but with poor results. Or understood it but how to adapt to my use and will it work im unsure.

I know its annoying if someone asks ready configuration/examples, but it would be very nice. Im not the type who just puts it to use and enjoys. I really like to know how the thing works before i put it into use. So i read the conf over and over again till i get it.

ofc any other help/hints conserning that conf are welcome. thank you very much for your time.

Im running FBSD 7

Last edited by Calderon; 16th September 2008 at 06:56 PM.
Reply With Quote
  #2   (View Single Post)  
Old 17th September 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Have a look at the Load Balance Outgoing Traffic section of the OpenBSD pf user guide.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 17th September 2008
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

Thanks!

Remembered something about this section from manual but the title was obviously "misleading" when i rechecked. :-P OK.

So if i get it right.

as for the incoming connections redirected to LAN machines i just
Code:
" rdr pass on $ext_if1 ..."
whatever ext_if i choose. without the round-robin ofc.

and outgoing

Code:
pass in on $int_if route-to \
   ($ext_if1 $ext_gw1)
   from $lan_net to any keep state
i would use ext_if1 as default "outgoing" and if i wanted for example port 28960 from lan machines to go via ext_if2 i would place similar rule as above before it (quick?) like this

Code:
pass in quick on $int_if route-to \
   ($ext_if2 $ext_gw2) \
   proto { udp , tcp } from $lan_net port 28960 to any keep state

pass in on $int_if route-to \
   ($ext_if1 $ext_gw1)
   from $lan_net to any keep state
Some questions.

- just to be sure, so this gateway address ext_gw means each external IF's IP, right? and can i use ext_gw1="($ext_if1)" to get IP or? thinking the case dynamic one would change so..

-To ensure that packets with a source address belonging to $ext_if1 are always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the following two lines should be included in the ruleset:
Code:
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \
   to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \
   to any
I don´t get it.

I think ill start the whole ruleset from scratch as this somehow gave me some enlightement (if im right about this. somebody confirm)

Last edited by Calderon; 17th September 2008 at 05:24 PM.
Reply With Quote
  #4   (View Single Post)  
Old 17th September 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I only have one single internet connection to play with, not two, so I cannot give you any practical advice.

RE: ext_gw

From that section of the pf user guide:
Quote:
One additional piece of information that's needed to do this is the IP address of the adjacent router on each Internet connection. This is fed to the route-to option to control the destination of outgoing packets.

[snip]

ext_if1 = "fxp0"
ext_if2 = "fxp1"
ext_gw1 = "68.146.224.1"
ext_gw2 = "142.59.76.1"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 17th September 2008
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

Here´s what i tried based on that but nothing seems to come back? or does it even go out. pftop snip attached below my conf.

Code:
ext_if1="bfe0"  # Ulkoverkon kortti (DSL)
ext_if2="dc0"   # Ulkoverkon kortti (Static)
int_if="xl0"   # Sisäverkon kortti
ext_gw1="88.193.77.121"
ext_gw2="88.193.68.22"
# Macros
lahiverkko = $int_if:network
icmp_types = "{ 0, 3, 11 }"
#LAN machine 1 (pate)
pate = "{ 192.168.0.2 }"
patetcp = "{ 1412, 49995, 61027 }"      #TCP portit, erottele pilkulla, jotka ohjataan koneelle (pate)
pateudp = "{ 1412, 49995, 61027 }"      #UDP portit,  -   "  -

#LAN machine 2 (texina)
texina = "{ 192.168.0.3 }"
texinatcp = "{ 1414, 2412, 8085, 50200 }"       #TCP portit
texinaudp = "{ 1414, 2412 }"                    #UDP portit
#tablet
table <nonroutable> persist { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12,10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,192.0.2.0/24, 204.152.64.0/23, \
224.0.0.0/3,255.255.255.255/32 }

# options
set block-policy return
set optimization aggressive
set loginterface $ext_if1
set loginterface $ext_if2
set skip on lo0
# scrub , Järjestele ja tarkista kaikki paketit sisään
scrub in all

# Nat ja Uudelleenohjaukset (Hoidettu ylempänä makroilla, ei tarvitse välttämättä vaihtaa alempia)
nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
rdr pass on $ext_if1 proto tcp from any to any port $patetcp -> $pate
rdr pass on $ext_if1 proto udp from any to any port $pateudp  -> $pate
rdr pass on $ext_if1 proto tcp from any to any port $texinatcp  -> $texina
rdr pass on $ext_if1 proto udp from any to any port $texinaudp  -> $texina

# rules
# block in log all
block in from any to any
block out from any to any
#block out on { $ext_if1 , $ext_if2 } from any to <nonroutable>
#block in log quick on { $ext_if1 , $ext_if2 } from <nonroutable> to any

#  pass all outgoing packets on internal interface
pass out on $int_if from any to $lahiverkko

#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lahiverkko to $int_if

pass in quick on $int_if route-to \
   ($ext_if2 $ext_gw2) \
  proto udp from $lahiverkko port 28960 to any keep state

pass in on $int_if route-to \
   ($ext_if1 $ext_gw1) \
   from $lahiverkko to any keep state

#  general "pass out" rules for external interfaces
pass out on { $ext_if1 , $ext_if2 } from any to any

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

#web and ssh on ADSL
pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 80 keep state
pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 22 keep state

Code:
tcp   In  192.168.0.2:2328      128.30.52.52:80                                  CLOSED:SYN_SENT     00:00:01  00:00:29      1     48                   48  5
tcp   Out 192.168.0.2:2328      128.30.52.52:80       88.193.77.121:59053      SYN_SENT:CLOSED       00:00:01  00:00:29      1     48                   48  6
tcp   In  192.168.0.2:2329      128.30.52.52:80                                  CLOSED:SYN_SENT     00:00:01  00:00:29      1     48                   48  5
tcp   Out 192.168.0.2:2329      128.30.52.52:80       88.193.77.121:65359      SYN_SENT:CLOSED       00:00:01  00:00:29      1     48                   48  6
?

What am i missing. I also tested to connect via port 28960 udp from my lan and pftop showed that its going out on right if. above i got when tried to open page with browser, which timed out after a while. atleast box can connect because my dnsmasq can provide dns information to LAN computers.

Last edited by Calderon; 17th September 2008 at 06:06 AM. Reason: additional information
Reply With Quote
  #6   (View Single Post)  
Old 17th September 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Some tips

Start with a simple ruleset only allowing outgoing DNS. Test your ruleset by resolving names to IP addresses with dig.

Then add outgoing www port 80 access and test browsing.

Replace your redundant block rules with
Code:
block log all
. Run tcpdump to view any logged blocked packets
Code:
# tcpdump -eni pflog0
Run another instance of tcpdump on the internal NIC and two others on your 2 external NICs.


You can run these tcpdumps from a workstation being ssh'ed-in to the firewall.
To prevent 'ssh' pollution of your tcpdump output , just add 'not port ssh' to the tcpdump command

Remember: 'Real Men debug their firewall with tcpdump'
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 17th September 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Default

Hi

I'm running pf here in the office that is doing load balancing for our 2 adsl lines.

I would suggest you first try a very basic setup to get it working and then start adding your route-to and reply-to rules.
The most basic will be as J65nko pointed out with the link to the pf page.

Once you have that working then you can start routing your traffic to where you want them to go.
Here are a few examples for incoming traffic
Code:
rdr on $ext_if1 proto tcp from any to $ext_if1 port 80 -> $webserver
pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to { $webserver } port = 80
and if you want your outgoing traffic to use a specific line
Code:
pass in quick on $int_if  route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 22
Hope this helps you a bit.
Reply With Quote
  #8   (View Single Post)  
Old 17th September 2008
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

Thanks for tips. Ill try to get clue of this with simple ruleset and post more questions if they occur. Thanks for helping.

Last edited by Calderon; 18th September 2008 at 08:28 AM.
Reply With Quote
  #9   (View Single Post)  
Old 2nd February 2009
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

I just came to say that everything works now as it should.. ty
Reply With Quote
Old 28th May 2009
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

Hmm.. some question. NAT is not involved in this one (i think)

Now i have 2 "external" nic's. I want sshd to listen on bfe0 port 22 and rl0 on port 8081 (university line has only this port open for remote cons). I have sshd configured for that and i think it´s fine.

Here´s the ruleset. I think the Bold one most relevant.

Code:
bsdkone# pfctl -s rules
scrub in all no-df fragment reassemble
block return log all
block return in quick on bfe0 proto tcp from <sshguard> to any port = ssh label "ssh bruteforce"
block drop in on ! lo0 inet6 from ::1 to any
block drop in on ! lo0 inet from 127.0.0.0/8 to any
anchor "ftp-proxy/*" all
pass out proto ipv6 all keep state
pass in proto ipv6 all keep state
pass out on xl0 inet from any to 192.168.133.0/24 flags S/SA keep state
pass out on xl0 inet6 from any to 2001:14b8:125::/64 flags S/SA keep state
pass in quick on xl0 inet from 192.168.133.0/24 to 192.168.133.1 flags S/SA keep state
pass in quick on xl0 inet6 from 2001:14b8:125::/64 to fe80::250:4ff:feaf:97b0 flags S/SA keep state
pass in quick on xl0 inet6 from 2001:14b8:125::/64 to 2001:14b8:125::10 flags S/SA keep state
pass in quick on xl0 route-to (rl0 94.237.80.1) inet proto udp from 192.168.133.0/24 port = 28960 to ! 88.192.186.40 keep state
pass in on xl0 route-to (bfe0 84.249.128.1) inet proto tcp from 192.168.133.0/24 to any flags S/SA modulate state
pass in on xl0 route-to (bfe0 84.249.128.1) inet proto udp from 192.168.133.0/24 to any keep state
pass in on xl0 route-to (bfe0 84.249.128.1) inet proto icmp from 192.168.133.0/24 to any keep state
pass out on bfe0 proto tcp all flags S/SA keep state
pass out on bfe0 proto udp all keep state
pass out on bfe0 proto icmp all keep state
pass out on rl0 proto tcp all flags S/SA keep state
pass out on rl0 proto udp all keep state
pass out on rl0 proto icmp all keep state
pass out on bfe0 route-to (rl0 94.237.80.1) inet from 94.237.82.251 to any flags S/SA keep state
pass out on rl0 route-to (bfe0 84.249.128.1) inet from 88.192.186.40 to any flags S/SA keep state
pass quick on xl0 all flags S/SA keep state


pass in on rl0 inet proto tcp from any to (rl0) port = 8081 flags S/SA keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = http flags S/SA keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = ssh flags S/SA keep state
pass in quick on bfe0 inet proto udp from any to (bfe0) port = 28960 keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = 28960 flags S/SA keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = smtp flags S/SA keep state
I run tcpdump and i see connection coming


Code:
bsdkone# tcpdump -i rl0 | grep 8081
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
02:42:33.136204 IP dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.61579 > as82-251.tontut.fi.8081: S 2117910606:2117910606(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 464460900 0,sackOK,eol>
02:42:36.136417 IP dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.61579 > as82-251.tontut.fi.8081: S 2117910606:2117910606(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 464463900 0,sackOK,eol>
02:42:39.335786 IP dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.61579 > as82-251.tontut.fi.8081: S 2117910606:2117910606(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 464467100 0,sackOK,eol>
But no answer?

Now when i run tcpdump on another external interface (the one which shouldn´t be any part of this? there goes the answer and it uses rl0 ones IP?)

Code:
bsdkone# tcpdump -i bfe0 | grep 8081
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bfe0, link-type EN10MB (Ethernet), capture size 96 bytes
02:44:18.790543 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,timestamp 545701484 464563537>
02:44:18.966214 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,timestamp 545701484 464566737>
02:44:21.965584 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,timestamp 545701484 464566737>
02:44:22.166126 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,eol>

The bfe0 if is the default "gateway" but shouldn't the answering packets go the same way as they came?

EDIT: Answering myself that IN and OUT are 2 different states.

What am I missing here?

Last edited by Calderon; 30th May 2009 at 06:49 PM.
Reply With Quote
Old 29th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Seen this?

Code:
     set state-policy
           The state-policy option sets the default behaviour for states:

           if-bound     States are bound to interface.
           floating     States can match packets on any interfaces (the
                        default).

           For example:

                 set state-policy if-bound
See if that changes anything.
Reply With Quote
Old 29th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

And there's:

Code:
     reply-to
           The reply-to option is similar to route-to, but routes packets that
           pass in the opposite direction (replies) to the specified inter-
           face.  Opposite direction is only defined in the context of a state
           entry, and reply-to is useful only in rules that create state.  It
           can be used on systems with multiple external connections to route
           all outgoing packets of a connection through the interface the
           incoming connection arrived through (symmetric routing enforce-
           ment).
Reply With Quote
Old 29th May 2009
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

Tried if-bound and still no connection, answering packets on bfe0 dissappeared though. Is my rule in wrong place or something.

I still have to try that reply-to (trying to figure it out)
Reply With Quote
Old 29th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

I think reply-to is the way to go. Post #7 above has examples.
Reply With Quote
Old 29th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Quote:
Originally Posted by Calderon View Post
Tried if-bound and still no connection, answering packets on bfe0 dissappeared though. Is my rule in wrong place or something.
No, it shows you that the return packets 'cling' to the interface they were received on (because they're only allowed to create state there). They simply won't go out now because they have no routing (the default route which they used to go to is on the interface they're now not allowed to use).

What reply-to does is basically two things:

reply-to ( $nic $gw )

1. provide the physical way out -> nic
2. provide the necessary routing for that action -> gateway
Reply With Quote
Old 29th May 2009
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

Code:
rdr on $ext_if2 proto tcp from any to $ext_if2 port 8081 -> 94.237.82.251

pass in log quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to 94.237.82.251 port = 8081
I had tried that with and without the rdr "rule" (thought that im not "routing" anything to my LAN)

Same results.

Maybe i should take a little distance from this, and take a look with fresh eyes :-). I think this should be easy but... Atleast im learning something on the way wich was my purpose also.

Last edited by Calderon; 7th June 2012 at 05:33 PM.
Reply With Quote
Old 29th May 2009
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Default

Hi

If you want to connect directly to your firewall you don't need a reply-to rule. The reply-to rule only applies when you are using rdr rules to access servers behind the firewall.

you can use reply-to as follows
Code:
rdr on $ext_if1 proto tcp from any to $ext_if1 port 22 -> 10.100.100.104

pass in quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to 10.100.100.104 port = 22
You can try a normal pass in rule on ext_if2
Code:
pass in log quick on $ext_if2 inet proto tcp from 94.237.82.251 to $ext_if2 port = 8081
Add this rulle some where high up in your pf.conf, before the reply-to and route-to rules.

Last edited by hamba; 29th May 2009 at 07:33 PM.
Reply With Quote
Old 29th May 2009
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

Code:
pass in quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to ($ext_if2) port 8081 keep state (floating)
This line alone pretty much did it. I had if-bound on still and this didnt work with it so... More problems when i didn't notice that there was some DHCP problem on ISP end and my IP was changed (Has been the same for since i got it) and stuff like that.

Anyway a nice lesson again how things work for me, the harder it is the better you remember :-)

Thanks again everybody.
Reply With Quote
Old 21st August 2009
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

Another question regarding 2 External nic's...


How will i be able to configure so that my rl0 gets it´s lease from dhcpd first.

Now it seems that this is going in alphabetical order (no matter what is first in rc.conf) and dhclient on bfe0 gets it´s IP first on bootup. After that routing and stuff is messed up.

I have now disabled dhcp in rc.conf on bfe0 and manually start it after reboot but is there way to specify in rc.conf or anywhere else that rl0 would "dhcp" first.

thanks.
__________________
SpreadBsd
Reply With Quote
Old 21st August 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

You could try moving the dhcp request for the second NIC to /etc/rc.local, and just setting it to 'up' in /etc/rc.conf.
Reply With Quote
Reply

Tags
2 external, 2 isp, firewall, nat, pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mounting external XFS HDD rativid OpenBSD General 5 3rd September 2010 02:31 PM
External Ips zomo OpenBSD General 12 20th November 2008 09:47 AM
Router for external IP's bichumo General software and network 11 22nd July 2008 03:07 AM
2 external NIC + 1 internal NIC AlexV FreeBSD General 7 4th June 2008 08:18 AM
ssh/external access jwhal OpenBSD General 11 21st May 2008 07:19 PM


All times are GMT. The time now is 09:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick