load-balancing, DNS

Andrei Kolu antik at bsd.ee
Wed Jan 2 09:40:56 PST 2008 

Wednesday 02 January 2008 18:46:43 kirjutas Tommy Pham:
> Hi Michael,
>
> Here is my ruleset:
>
> NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
> }"
>
> #  Options: tune the behavior of pf, default values are given.
> #set timeout { interval 10, frag 30 }
> #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> #set timeout { icmp.first 20, icmp.error 10 }
> #set timeout { other.first 60, other.single 30, other.multiple 60 }
> #set timeout { adaptive.start 0, adaptive.end 0 }
> #set limit { states 60000, frags 30000 }
> #set loginterface re0
> #set require-order yes
> #set fingerprints "/etc/pf.os"
> #set optimization aggressive
> set optimization normal
> set block-policy drop
> set skip on lo
>
> #  Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
> scrub in
>
> #  Queueing
>
> #  nat/rdr
> nat on $ext_if1 from $lan_net to any -> ($ext_if1) round-robin
> nat on $ext_if2 from $lan_net to any -> ($ext_if2) round-robin
>
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
>
> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \
>     port $www_ports -> $www_sys
> rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \
>     port $www2_ports -> $www2_sys
>
> #  Rules
> #block in  log on $ext_if1 from $NoRouteIPs to any
> #block out log on $ext_if1 from any to $NoRouteIPs
> #block in  log on $ext_if2 from $NoRouteIPs to any
> #block out log on $ext_if2 from any to $NoRouteIPs
>
> block in  log
> block out log
> pass on $int_if
>
> #anchor "ftp-proxy/*"
> antispoof log quick for { lo $int_if }
>
> #  load balance outgoing tcp traffic from internal network.
> pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2)
> } \
>     round-robin proto tcp from $lan_net to any \
>     flags S/SA modulate state
> #  load balance outgoing udp and icmp traffic from internal network
> pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2)
> } \
>     round-robin proto { udp, icmp } from $lan_net to any keep state
>
> pass in quick on $int_if route-to ($ext_if1 $ext_gw1) \
>     from any to { $ns1a, $ns1b } keep state
> pass in quick on $int_if route-to ($ext_if2 $ext_gw2) \
>     from any to { $ns2a, $ns2b } keep state
>
> #  general "pass out" rules for external interfaces
> pass out on $ext_if1 proto tcp from any to any flags S/SA modulate
> state
> pass out on $ext_if1 proto { udp, icmp } from any to any keep state
> pass out on $ext_if2 proto tcp from any to any flags S/SA modulate
> state
> pass out on $ext_if2 proto { udp, icmp } from any to any keep state
>
> # allowed services
> pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www_sys
> port $www_ports \
>     flags S/SA synproxy state
> pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www2_sys
> port $www2_ports \
>     flags S/SA synproxy state
>
> #  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
> #  $ext_if2 and $ext_gw2
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
> pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
>

http://www.openbsd.org/faq/pf/pools.html

Load Balance Incoming Connections

 Address pools can also be used to load balance incoming connections. For 
example, incoming web server connections can be distributed across a web 
server farm: 
 web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
 
 rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
     round-robin sticky-address  

 Successive connections will be redirected to the web servers in a round-robin 
manner with connections from the same source being sent to the same web 
server. This "sticky connection" will exist as long as there are states that 
refer to this connection. Once the states expire, so will the sticky 
connection. Further connections from that host will be redirected to the next 
web server in the round robin.

NOTE: I seriously doubt "sticky-address" will work on FreeBSD- it was broken 
for couple of years already and looks like noone cares to fix it (it work on 
OpenBSD of course). Without this option load balancing is a joke.

More information about the freebsd-pf mailing list