Policy Based Routing pf
fr33man
fr33man at fr33man.ru
Thu Nov 2 22:17:40 UTC 2006
Hi all!
I have one problem with pf. This is my network:
ISP1 ISP2
| |
| |
| |
| |
FreeBSD(shield)
|
|
|
Local_Network
My configuration:
Local_Network has address: 192.168.1.0/24.
Ip address of freebsd(hostname is shield) is 192.168.1.254 on the
Local_Network and 192.168.98.2 on the ISP1 and external ip(for example
1.1.1.1) on ISP2.
The default gateway is ISP1, and ip address of default gateway is
192.168.98.1.
ISP2 gives me internet over vpn, and gateway on ISP2 is 172.17.0.1. This is
output of `ifconfig`:
shield@/usr/local/etc> ifconfig
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.98.2 netmask 0xffffff00 broadcast 192.168.98.255
ether 00:05:1c:1e:6f:9e
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:00:4b:51:07:84
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
pfsync0: flags=0<> mtu 2020
pflog0: flags=0<> mtu 33208
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1440
inet 1.1.1.1 --> 172.17.0.1 netmask 0xffffffff
shield@/usr/local/etc>
I have compiled kernel with pf:
device pf
device pflog
device pfsync
And this is my pf.conf:
shield@/usr/local/etc> cat /etc/pf.conf.back
ext_if="ng0"
scrub in all
nat on $ext_if inet proto tcp from 192.168.1.230 port 80 -> $ext_if
rdr on $ext_if inet proto tcp to $ext_if port www -> 192.168.1.230 port www
pass in quick on $ext_if reply-to ($ext_if 172.17.0.1) inet proto tcp tagged
WEB_SERVER flags S/SA keep state
pass all
shield@/usr/local/etc>
192.168.1.230 - web server ip address.
And now I want tell you one very interesting thing! ;)
If I have index.html size about 1 Kb on the web server, everyone can see
it(from the internet), but if index.html is about 11 kb nobody can see it
from the internet!!!
Can you help me?
--
WBR Ozerov Vasiliy I.
Good Luck
More information about the freebsd-pf
mailing list