RDR not triggered

[FreeBSD]

Vadim Goncharov a écrit :
> Hi FreeBSD! 
> 
> On Wed, 12 Nov 2008 17:22:13 -0500; FreeBSD wrote about 'RDR not triggered':
> 
>> Quick explanation of my setup:
> 
>> We have 2 webservers, a frontend and a backend. The frontend have a jail 
>> for Lighttpd (images server) and Apache on the base system (for PHP). 
>> There is one public IP associated to the jail on the public side of the 
>> frontend server. There is only one internal private IP. The jail is 
>> bound to 127.0.0.25 and a RDR on the external interface is redirecting 
>> the traffic in the jail when the request arrive with it's public IP as 
>> destination.
> 
>> rdr on $EXT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD 
>> port http
> 
>> That's working great for external connections.
> 
>> The problem is that the backend server needs to access the Lighttpd jail 
>> by the public IP of the frontend server. I understand that I can't 
>> redirect the traffic inside the jail with a RDR on the external 
>> interface because the packets didn't passthrough the interface. That's 
>> why I created I copy of the above RDR but on the internal interface.
> 
>> rdr on $INT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD 
>> port http
> 
>> That rule is never triggered even when the traffic, according to 
>> tcpdump, is corresponding to the criteria. At the moment, the RDR for 
>> the internal interface is just before the external one.
> 
>> The pfctl -gvvvsn output for these 2 rules:
> 
>> @0 rdr on bge1 inet proto tcp from any to 66.AAA.BB.66 port = http -> 
>> 127.0.0.25 port 80
>>    [ Skip steps: d=end f=9 p=9 sa=end sp=12 da=2 dp=2 ]
>>    [ queue: qname= qid=0 pqname= pqid=0 ]
>>    [ Evaluations: 91246     Packets: 0         Bytes: 0 
>> States: 0     ]
>> @1 rdr on bge0 inet proto tcp from any to 66.AAA.BB.66 port = http -> 
>> 127.0.0.25 port 80
>>    [ Skip steps: i=9 d=end f=9 p=9 sa=end sp=12 ]
>>    [ queue: qname= qid=0 pqname= pqid=0 ]
>>    [ Evaluations: 91246     Packets: 3261224   Bytes: 2403004153 
>> States: 2531  ]
> [...]
>> Nothing is blocked on both of the servers. The packets are simply not 
>> redirected and passed to the Apache on the base system of the frontend 
>> server instead of going in the Lighttpd jail, only when coming the the 
>> internal network.
>> I'm using FreeBSD 6.2 on the frontend and 7.0 on the backend.
> 
> It is possible that you have "set skip on $INT_IF" - in that case oll that
> interface rules will not work. Or another reason, need to see complete pf
> ruleset. Or try "rdr pass ..."
> 

D'OH!!! You're right, there was a set skip on $INT_IF... I wasted all 
mey afternoon trying to debug that. Thanks a lot for your reply. You 
just made my day :)

Martin

> I've asked some people, they tried similar (but not exact!) setup on 6.1/7.0,
> it worked. So it may be a bug in your version of pf, if not ruleset.
> 
> The last possible reason - architectural flaw of pf, which binds IPs for states
> to interfaces, in that case you will need to do ipfw fwd (can use both ipfw and
> pf simultaneously).
>