RDR not triggered
FreeBSD
freebsd at optiksecurite.com
Thu Nov 13 07:57:38 PST 2008
Vadim Goncharov a écrit :
> Hi FreeBSD!
>
> On Wed, 12 Nov 2008 17:22:13 -0500; FreeBSD wrote about 'RDR not triggered':
>
>> Quick explanation of my setup:
>
>> We have 2 webservers, a frontend and a backend. The frontend have a jail
>> for Lighttpd (images server) and Apache on the base system (for PHP).
>> There is one public IP associated to the jail on the public side of the
>> frontend server. There is only one internal private IP. The jail is
>> bound to 127.0.0.25 and a RDR on the external interface is redirecting
>> the traffic in the jail when the request arrive with it's public IP as
>> destination.
>
>> rdr on $EXT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD
>> port http
>
>> That's working great for external connections.
>
>> The problem is that the backend server needs to access the Lighttpd jail
>> by the public IP of the frontend server. I understand that I can't
>> redirect the traffic inside the jail with a RDR on the external
>> interface because the packets didn't passthrough the interface. That's
>> why I created I copy of the above RDR but on the internal interface.
>
>> rdr on $INT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD
>> port http
>
>> That rule is never triggered even when the traffic, according to
>> tcpdump, is corresponding to the criteria. At the moment, the RDR for
>> the internal interface is just before the external one.
>
>> The pfctl -gvvvsn output for these 2 rules:
>
>> @0 rdr on bge1 inet proto tcp from any to 66.AAA.BB.66 port = http ->
>> 127.0.0.25 port 80
>> [ Skip steps: d=end f=9 p=9 sa=end sp=12 da=2 dp=2 ]
>> [ queue: qname= qid=0 pqname= pqid=0 ]
>> [ Evaluations: 91246 Packets: 0 Bytes: 0
>> States: 0 ]
>> @1 rdr on bge0 inet proto tcp from any to 66.AAA.BB.66 port = http ->
>> 127.0.0.25 port 80
>> [ Skip steps: i=9 d=end f=9 p=9 sa=end sp=12 ]
>> [ queue: qname= qid=0 pqname= pqid=0 ]
>> [ Evaluations: 91246 Packets: 3261224 Bytes: 2403004153
>> States: 2531 ]
> [...]
>> Nothing is blocked on both of the servers. The packets are simply not
>> redirected and passed to the Apache on the base system of the frontend
>> server instead of going in the Lighttpd jail, only when coming the the
>> internal network.
>> I'm using FreeBSD 6.2 on the frontend and 7.0 on the backend.
>
> It is possible that you have "set skip on $INT_IF" - in that case oll that
> interface rules will not work. Or another reason, need to see complete pf
> ruleset. Or try "rdr pass ..."
>
D'OH!!! You're right, there was a set skip on $INT_IF... I wasted all
mey afternoon trying to debug that. Thanks a lot for your reply. You
just made my day :)
Martin
> I've asked some people, they tried similar (but not exact!) setup on 6.1/7.0,
> it worked. So it may be a bug in your version of pf, if not ruleset.
>
> The last possible reason - architectural flaw of pf, which binds IPs for states
> to interfaces, in that case you will need to do ipfw fwd (can use both ipfw and
> pf simultaneously).
>
More information about the freebsd-pf
mailing list