Problem with source based policy routing

Kim Attree kim.attree at playsafesa.com
Mon Jul 6 13:34:39 UTC 2009 

> -----Original Message-----
> From: Giuliano Gavazzi [mailto:dev+lists at humph.com]
> Sent: 06 July 2009 03:13 PM
> To: Kim Attree
> Cc: freebsd-ipfw at freebsd.org
> Subject: Re: Problem with source based policy routing
> 
> 
> On M 6 Jul, 2009, at 10:36 , Kim Attree wrote:
> 
> >
> > Hey Guys,
> >
> >
> >
> > I'm having a problem with source-based policy routing in IPFW, I'm
> > trying to run a load-balanced SMTP System over two links.
> >
> > Primary link is re0, lets give it an ip of 192.168.1.1
> > Secondary link is re1, with an ip of 192.168.2.1
> >
> > Default gateway for the box is 192.168.1.254 (so ALL outgoing
> > traffic goes out of re0, unless hardcoded into the routing table for
> > destinations instead)
> > Default gateway for re1 is 192.168.2.254
> >
> > I want re1 to be able to accept SMTP, but respond to the originating
> > IP over the same link re1 (instead of the default gateway).
> > With this in mind, I setup my NAT accordingly:
> >
> > <snip>
> > port 8669
> > alias_address 192.168.2.1
> > same_ports yes
> > use_sockets yes
> > log_ipfw_denied yes
> > redirect_port tcp 10.0.0.1:25 192.168.2.1:25
> > </snip>
> >
> > And the IPFW rules such:
> >
> > <snip>
> > # NATD Statements
> > add 00097 divert 8668 all from any to any via re0
> > add 00097 divert 8669 all from any to any via re1
> >
> 
> why NAT? Unless you also want to spread outgoing traffic from internal
> hosts, presumably based on dest port or network, then NAT is of no use
> (except the one via re0 that is presumably used for internal hosts).
> Incoming packets don't need any rules as the gw 192.168.2.254 knows
> how to reach your host, you only need to fwd (that is to route) your
> outgoing packets according to the source. I have a similar setup (with
> also 2 NATs because I do use both gateways also for natted hosts).

I have one Internal Exchange server (don't laugh), and NAT handles the static mapping of IP/Port to that server. The original point here is to have two mapped NAT port 25's to the same internal Mail server, hence the addition of the NAT before and during the forward logic (obviously wrong though).
 
> The fwd rule would be very early, just after the loopback rules,
> UNLESS you want to block outgoing traffic on some ports:
> 
> add 50 fwd 192.168.2.254 src-ip 192.168.2.1 not dst-ip 192.168.2.1/24
> 
> That should do it.

Because the incoming traffic traverses NAT, this wont work:

192.168.2.254 --> 192.168.2.1(NAT:25) --> 10.0.0.1:25 --> 192.168.2.1(NAT) --> 192.168.2.254 --> World

The forward ends firewall rule processing, meaning the traffic can not carry on outbound by my logic.

> NOTE: if you also do NAT on that port (re1), then you need this also
> after the corresponding nat rule.
> But I urge you to distinguish between necessarily natted traffic (that
> is traffic coming from internal hosts) and traffic coming from the
> host itself, by using an alias on the same subnet (say 192.168.2.2)
> for the natted traffic. This way you avoid natting traffic that does
> not need it, and can easily distinguish between incoming traffic for
> your host (192.168.2.1) and for natted hosts (192.168.2.2).
> 
> 
> Giuliano

Thanks for your assistance, any further help would be greatly appreciated !!!

Kim

More information about the freebsd-ipfw mailing list