RDR not triggered

Vadim Goncharov vadim_nuclight at mail.ru
Thu Nov 13 04:10:07 PST 2008 

Hi FreeBSD! 

On Wed, 12 Nov 2008 17:22:13 -0500; FreeBSD wrote about 'RDR not triggered':

> Quick explanation of my setup:

> We have 2 webservers, a frontend and a backend. The frontend have a jail 
> for Lighttpd (images server) and Apache on the base system (for PHP). 
> There is one public IP associated to the jail on the public side of the 
> frontend server. There is only one internal private IP. The jail is 
> bound to 127.0.0.25 and a RDR on the external interface is redirecting 
> the traffic in the jail when the request arrive with it's public IP as 
> destination.

> rdr on $EXT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD 
> port http

> That's working great for external connections.

> The problem is that the backend server needs to access the Lighttpd jail 
> by the public IP of the frontend server. I understand that I can't 
> redirect the traffic inside the jail with a RDR on the external 
> interface because the packets didn't passthrough the interface. That's 
> why I created I copy of the above RDR but on the internal interface.

> rdr on $INT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD 
> port http

> That rule is never triggered even when the traffic, according to 
> tcpdump, is corresponding to the criteria. At the moment, the RDR for 
> the internal interface is just before the external one.

> The pfctl -gvvvsn output for these 2 rules:

> @0 rdr on bge1 inet proto tcp from any to 66.AAA.BB.66 port = http -> 
> 127.0.0.25 port 80
>    [ Skip steps: d=end f=9 p=9 sa=end sp=12 da=2 dp=2 ]
>    [ queue: qname= qid=0 pqname= pqid=0 ]
>    [ Evaluations: 91246     Packets: 0         Bytes: 0 
> States: 0     ]
> @1 rdr on bge0 inet proto tcp from any to 66.AAA.BB.66 port = http -> 
> 127.0.0.25 port 80
>    [ Skip steps: i=9 d=end f=9 p=9 sa=end sp=12 ]
>    [ queue: qname= qid=0 pqname= pqid=0 ]
>    [ Evaluations: 91246     Packets: 3261224   Bytes: 2403004153 
> States: 2531  ]
[...]
> Nothing is blocked on both of the servers. The packets are simply not 
> redirected and passed to the Apache on the base system of the frontend 
> server instead of going in the Lighttpd jail, only when coming the the 
> internal network.
> I'm using FreeBSD 6.2 on the frontend and 7.0 on the backend.

It is possible that you have "set skip on $INT_IF" - in that case oll that
interface rules will not work. Or another reason, need to see complete pf
ruleset. Or try "rdr pass ..."

I've asked some people, they tried similar (but not exact!) setup on 6.1/7.0,
it worked. So it may be a bug in your version of pf, if not ruleset.

The last possible reason - architectural flaw of pf, which binds IPs for states
to interfaces, in that case you will need to do ipfw fwd (can use both ipfw and
pf simultaneously).

-- 
WBR, Vadim Goncharov. ICQ#166852181       mailto:vadim_nuclight at mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]

More information about the freebsd-pf mailing list