pf and carp

Frank Cases fcases at teliax.com
Wed Jun 8 21:20:24 GMT 2005 

my setup is at

http://pastebin.ca/13602

the pf has changed alot since that post..
but mainly my problem is a pf configuration issue..


020096 rule 6/0(match): pass in on xl0: IP 172.16.0.101.14906 >
192.168.1.22.47468: UDP, length: 172
019964 rule 6/0(match): pass in on xl0: IP 172.16.0.101.14906 >


first 192.168.x is the client internal ip from far far away... why is it
here ?i dont know

also .. on client side i see those as beging 172.16.0.101

so i need to rewrite my internal to exeternal..

problem is it doesnt work..

Any help appreciated...






my pf.conf



# Variable definitions.
#

ext_if = "xl2"
int_if = "xl0"
loop   = "lo0"
pfsync_if="xl1"

ext_ifs = "{ xl2, carp0, carp1 }"
int_ifs = "{ xl0, carp2, carp3 }"

ext_carps= "{ carp0 ,carp1 }"

ext_ip = "204.18.109.140"
int_ip = "172.16.0.200"

server ="{ 172.16.0.101 ,172.16.0.100}"
int_net ="172.16.0.1/24"


voip_tcp = "5060"
voip_udp = "{5060, 4569, 5036, 9999 >< 20001, 2727}"


table <asts> { 172.16.0.100, 172.16.0.101 }


#TCP_OPTIONS = "flags S/SAFRUP keep state"
TCP_OPTIONS = " keep state"

reserved = " {
        0.0.0.0/8,      10.0.0.0/8,     20.20.20.0/24,  127.0.0.0/8,
        169.254.0.0/16, 172.16.0.0/12,  192.0.2.0/24,   192.168.0.0/16,
        224.0.0.0/3,    255.255.255.255 } "

scrub in on $ext_if all

####
# Nat rules
#
#internal out rewriting ?


#perform NAT on the xl2 interface for any packets coming from
172.16.0.0/24 and to replace the source IP address with 204.18.109.140
nat on $ext_ifs from $int_if/24 to any -> $ext_ip


nat on $int_if proto tcp from $int_net to $server  ->  $int_ip
nat on $int_if proto udp from $int_net to $server  ->  $int_ip
###nat pass on $int_ifs from $int_net to any -> $ext_ip

#no nat on $ext_if from 204.18.109.140 to any

### PLAYING

binat on $ext_ifs from 172.16.0.101 to any -> 204.18.109.140
binat on $ext_ifs from 172.16.0.100 to any -> 204.18.109.140




#### END PALYING

#rewrite to loadbalance
#rdr on $ext_carps inet proto tcp from any to $ext_ip port 4569 ->
172.16.0.101 port 4569
#rdr on $ext_carps inet proto tcp from any to $ext_ip port 5060 ->
172.16.0.101 port 5060

#rdr on $ext_carps inet proto udp from any to $ext_ip port 5060 ->
172.16.0.101  port 5060

#rdr pass on $ext_if proto tcp from any to any port 80 -> $server port 80



rdr pass on $ext_ifs proto tcp from any to any port 80 ->   $server port 80
rdr pass on $ext_ifs proto tcp from any to any port 4569 -> $server port 4569
rdr pass on $ext_ifs proto tcp from any to any port 5060 -> $server port 5060

rdr pass on $ext_ifs proto udp from any to any port 4569 -> $server port 4569
rdr pass on $ext_ifs proto udp from any to any port 5060 -> $server port 5060
rdr pass on $ext_ifs proto udp from any to any port 9999:20001 -> $server
rdr pass on $ext_ifs proto udp from any to any port 2727  -> $server port
2727

rdr pass on $ext_ifs proto tcp from any to any port $voip_tcp  -> $server
port $voip_tcp
rdr pass on $ext_ifs proto udp from any to any ->  $server







###
#RULES
#

block out log-all on $ext_if all
block in  log-all on $ext_if all


#carp rules
pass out log-all on $ext_carps proto carp keep state

#pfsunc rules
pass on $pfsync_if proto pfsync

#local nic all pass Rule #1
pass in quick on lo0 all

# log and allow all on int_if  i should add quick
pass log-all on $int_if all


######################################################      OUT
###########################

#PASSOUT INTERNAL NET
pass out quick log-all on $int_if   inet proto tcp from $int_if  to any
keep state
pass out quick log-all on $ext_ifs  inet proto tcp from $ext_ifs to any
keep state


# Main pass out ------ BAILS OUT OF RULES
#pass out  log quick on $ext_if proto udp all keep state
pass out   log quick on $ext_ifs proto udp all keep state
pass out   log quick on $int_if proto udp all keep state
#pass out  log quick on $ext_if proto tcp all keep state
pass out   log quick on $ext_ifs proto tcp all keep state
pass out   log quick on $int_if proto tcp all keep state


######################################################     IN
###########################


#DNS  ------ BAILS OUT OF RULES
pass in  quick on $ext_if proto udp from any  port = 53 to $ext_if port =
53 keep state
pass in  quick on $int_if proto udp from any  port = 53 to $ext_if port =
53 keep state

#WEB  ------ BAILS OUT OF RULES
pass in  log-all quick on $ext_if  inet  proto carp  from any to $ext_ifs
$TCP_OPTIONS
pass in  log-all quick on $ext_if  inet  proto tcp  from any to $ext_ifs
port 80 $TCP_OPTIONS




#asterisk 4569 5060------ BAILS OUT OF RULES


pass in  log-all on $ext_ifs  inet proto tcp from any to any port
$voip_tcp flags S/SA keep state
pass out log-all on $ext_ifs  inet proto tcp all flags S/SA keep state
pass in  log-all on $ext_ifs  inet proto udp from any to any port
$voip_udp keep state
pass out log-all on $ext_ifs  proto udp all keep state


pass in  log-all quick on $ext_ifs  inet  proto tcp  from any to $ext_ifs
port 5060 $TCP_OPTIONS
pass in  log-all quick on $ext_ifs  inet  proto udp  from any to $ext_ifs
port 5060 $TCP_OPTIONS

pass in  log-all quick on $ext_ifs  inet  proto tcp  from any to $ext_ifs
port 4569 $TCP_OPTIONS
pass in  log-all quick on $ext_ifs  inet  proto udp  from any to $ext_ifs
port 4569 $TCP_OPTIONS

pass in  log-all       on $ext_ifs  inet  proto udp  from any to any
port $voip_udp  $TCP_OPTIONS


#SSH  ------ BAILS OUT OF RULES
pass in  log-all quick  inet  proto tcp  from any to $ext_if  port 1978
keep state



#ICMP Both ways

pass in  on $ext_ifs inet proto icmp all icmp-type 8 code 0 keep state
pass in  on $ext_ifs inet proto icmp all icmp-type 36  keep state
pass out on $ext_ifs inet proto icmp all  keep state
pass out on $int_ifs inet proto icmp all  keep state



Frank

More information about the freebsd-current mailing list