load-balancing, DNS

Tommy Pham tommyhp2 at yahoo.com
Wed Jan 2 08:46:44 PST 2008 

Hi Michael,

Here is my ruleset:

NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}"

#  Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 60000, frags 30000 }
#set loginterface re0
#set require-order yes
#set fingerprints "/etc/pf.os"
#set optimization aggressive
set optimization normal
set block-policy drop
set skip on lo

#  Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub in

#  Queueing

#  nat/rdr
nat on $ext_if1 from $lan_net to any -> ($ext_if1) round-robin
nat on $ext_if2 from $lan_net to any -> ($ext_if2) round-robin

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"

#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \
    port $www_ports -> $www_sys
rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \
    port $www2_ports -> $www2_sys

#  Rules
#block in  log on $ext_if1 from $NoRouteIPs to any
#block out log on $ext_if1 from any to $NoRouteIPs
#block in  log on $ext_if2 from $NoRouteIPs to any
#block out log on $ext_if2 from any to $NoRouteIPs

block in  log
block out log
pass on $int_if

#anchor "ftp-proxy/*"
antispoof log quick for { lo $int_if }

#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2)
} \
    round-robin proto tcp from $lan_net to any \
    flags S/SA modulate state
#  load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2)
} \
    round-robin proto { udp, icmp } from $lan_net to any keep state

pass in quick on $int_if route-to ($ext_if1 $ext_gw1) \
    from any to { $ns1a, $ns1b } keep state
pass in quick on $int_if route-to ($ext_if2 $ext_gw2) \
    from any to { $ns2a, $ns2b } keep state

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate
state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate
state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

# allowed services
pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www_sys
port $www_ports \
    flags S/SA synproxy state
pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www2_sys
port $www2_ports \
    flags S/SA synproxy state

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any


I still need to refine more on the rules to tighten security.

~Tommy

--- Michael Zimmer <drakyri at hotmail.com> wrote:

> 
> Turns out that those actually completely (instead of the ~75% success
> rate before) disabled the DNS access of the client machines.
>  
> I can't think why that wouldn't work, though - added these to the
> top, just below the SSH-allow entries:
>  
> pass in quick on $int_if route-to ($ext_if1 $ext_gw1) from any to {
> $ns1a, $ns1b } keep statepass in quick on $int_if route-to ($ext_if2
> $ext_gw2) from any to { $ns2a, $ns2b } keep state
>  
> ...with nsXY appropriately defined.  Should these be reply-to also? 
> ...I changed the main load-balancing rules as suggested:
>  
> pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin \
> proto { tcp icmp udp } from 192.168.1.1/24 to any flags S/SA keep
> state
> pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin \ 
> sticky-address proto { tcp icmp udp } from any to any flags S/SA keep
> state
>  
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to
> any
> pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to
> any
>  
> ...I'd really appreciate any suggestions. : )
>  
> thanks,
> mike
>  
>  
> > From: drakyri at hotmail.com> To: tommyhp2 at yahoo.com;
> freebsd-pf at freebsd.org; mksmith at adhost.com> Date: Wed, 2 Jan 2008
> 09:45:38 +0000> CC: > Subject: RE: load-balancing, DNS> > > Thanks to
> both of you ... it looks okay remotely - I'll test it on-site
> tomorrow.> > -mike
> _________________________________________________________________
> Share life as it happens with the new Windows Live.
>
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007

More information about the freebsd-pf mailing list