problem configuring ipfilter for multiple network routing
João Assad
jfassad at parperfeito.com.br
Wed Oct 20 08:48:04 PDT 2004
No response...
So I take it its either an ipfilter or FreeBSD limitation ?
João Assad wrote:
> Hello guys,
>
> I have a firewall with 3 network interfaces, 2 external (fxp1 and
> fxp2) and 1 internal (fxp0)
> fxp0 is connected to my private network while fxp1 and fxp2 are
> connected to two different ISPs.
>
> Im trying to use ipfilter to route outgoing packets trough two
> different interfaces and their respective gateways based on the
> packet's source IP.
>
> My problem is that when a packet comes from 10.1.0.0/16, it is
> correctly routed through the fxp2 interface and reach the
> destination... but the reply packets are lost in my firewall and never
> reach the sender IP from 10.1.0.0/16 network.
>
> packets coming from 10.0.0.0/16 work perfectly.
>
> You can see what Im trying to do at
> http://www.bsdnews.org/01/policy_routing.php - *Example 3 - Routing
> for Multiple Network*
> The difference is that Im using stateful rules.
>
> My guess is that the reply packets coming from the destination IP do
> not match the rules in the state table created by ipfilter
>
> a telnet to www.google.com 80 will generate this rule in the state table:
>
> 10.1.4.1 -> 216.239.39.99 ttl 3596 pass 0x5006 pr 6 state 4/3
> pkts 4 bytes 188 32830 -> 80 fd654c28:18ea8803
> 5840<<0:8190<<0
> pass out quick keep state IPv4
> pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
> pkt_security & ffff = 0, pkt_auth & ffff = 0
> interfaces: in fxp0,fxp2 out fxp1,fxp0
>
>
> Any idea on how to fix it ? ipnat and ipfilter configuration below:
>
> Thanks in advance.
>
> ----ipnat.rules:
> map fxp1 10.0.0.0/16 -> a.b.c.d/32 portmap tcp/udp 1025:65000
> map fxp1 10.0.0.0/16 -> a.b.c.d/32
>
> map fxp2 10.1.0.0/16 -> e.f.g.h/32 portmap tcp/udp 1025:65000
> map fxp2 10.1.0.0/16 -> e.f.g.h/32
>
>
> ----ipf.rules:
> pass out quick on fxp1 to fxp2:fxp2_gateway from 10.1.0.0/16 to any
> keep state
>
> block return-rst in log on fxp1 proto tcp all flags S head 100
> pass in proto tcp from any to 10.0.5.1/32 port = 25 flags S keep
> state group 100
>
> block out log on fxp1 all head 150
> pass out proto tcp all flags S/SA keep state group 150
> pass out proto udp all keep state group 150
> pass out proto icmp all keep state group 150
>
> block return-icmp-as-dest(port-unr) in log on fxp1 proto udp all head 155
> block in proto udp from any to a.b.c.d/32 port = 137 group 155
>
> block return-rst in log on fxp2 proto tcp all flags S head 200
> pass in proto tcp from any to 10.1.5.1/32 port = 25 flags S keep
> state group 200
>
> block out log on fxp2 all head 250
> pass out proto tcp all flags S/SA keep state group 250
> pass out proto udp all keep state group 250
> pass out proto icmp all keep state group 250
>
> block return-icmp-as-dest(port-unr) in log on fxp2 proto udp all head 255
> block in proto udp from any to e.f.g.h/32 port = 137 group 255
>
> pass in quick on fxp0 all
> pass out quick on fxp0 all
>
> pass in quick on lo0 all
> pass out quick on lo0 all
>
--
--------------------------------
- João Assad
- ParPerfeito Comunicação LTDA
- http://www.parperfeito.com.br/
More information about the freebsd-isp
mailing list