problem configuring ipfilter for multiple network routing

João Assad jfassad at parperfeito.com.br
Tue Oct 19 12:24:16 PDT 2004 

Hello guys,

I have a firewall with 3 network interfaces, 2 external (fxp1 and fxp2) 
and 1 internal (fxp0)
fxp0 is connected to my private network while fxp1 and fxp2 are 
connected to two different ISPs.

Im trying to use ipfilter to route outgoing packets trough two different 
interfaces and their respective gateways based on the packet's source IP.

My problem is that when a packet comes from 10.1.0.0/16, it is correctly 
routed through the fxp2 interface and reach the destination... but the 
reply packets are lost in my firewall and never reach the sender IP from 
10.1.0.0/16 network.

packets coming from 10.0.0.0/16 work perfectly.

You can see what Im trying to do at 
http://www.bsdnews.org/01/policy_routing.php - *Example 3 - Routing for 
Multiple Network*
The difference is that Im using stateful rules.

My guess is that the reply packets coming from the destination IP do not 
match the rules in the state table created by ipfilter

a telnet to www.google.com 80 will generate this rule in the state table:

10.1.4.1 -> 216.239.39.99 ttl 3596 pass 0x5006 pr 6 state 4/3
        pkts 4 bytes 188        32830 -> 80 fd654c28:18ea8803 
5840<<0:8190<<0
        pass out quick keep state       IPv4
        pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
        interfaces: in fxp0,fxp2 out fxp1,fxp0


Any idea on how to fix it ? ipnat and ipfilter configuration below:

Thanks in advance.

----ipnat.rules:
map fxp1 10.0.0.0/16 -> a.b.c.d/32 portmap tcp/udp 1025:65000
map fxp1 10.0.0.0/16 -> a.b.c.d/32

map fxp2 10.1.0.0/16 -> e.f.g.h/32 portmap tcp/udp 1025:65000
map fxp2 10.1.0.0/16 -> e.f.g.h/32


----ipf.rules:
pass out quick on fxp1 to fxp2:fxp2_gateway from 10.1.0.0/16 to any keep 
state

block return-rst in log on fxp1 proto tcp all flags S head 100
   pass in proto tcp from any to 10.0.5.1/32 port = 25 flags S keep 
state group 100

block out log on fxp1 all head 150
   pass out proto tcp  all flags S/SA keep state group 150
   pass out proto udp  all keep state group 150
   pass out proto icmp all keep state group 150

block return-icmp-as-dest(port-unr) in log on fxp1 proto udp all head 155
   block in proto udp from any to a.b.c.d/32 port = 137 group 155

block return-rst in log on fxp2 proto tcp all flags S head 200
   pass in proto tcp from any to 10.1.5.1/32 port = 25 flags S keep 
state group 100

block out log on fxp2 all head 250
   pass out proto tcp  all flags S/SA keep state group 250
   pass out proto udp  all keep state group 250
   pass out proto icmp all keep state group 250

block return-icmp-as-dest(port-unr) in log on fxp2 proto udp all head 255
   block in proto udp from any to e.f.g.h/32 port = 137 group 255

pass in quick on fxp0 all
pass out quick on fxp0 all

pass in quick on lo0 all
pass out quick on lo0 all

-- 

--------------------------------
- João Assad
- ParPerfeito Comunicação LTDA
- http://www.parperfeito.com.br/

More information about the freebsd-isp mailing list