pf, binat, rdr, and one ip
Da Rock
freebsd-questions at herveybayaustralia.com.au
Thu Feb 10 00:42:49 UTC 2011
On 02/09/11 22:38, Maxim Khitrov wrote:
> On Wed, Feb 9, 2011 at 6:34 AM, Da Rock
> <freebsd-questions at herveybayaustralia.com.au> wrote:
>
>> On 02/09/11 21:16, Daniel Bye wrote:
>>
>>> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote:
>>>
>>>
>>>> On 02/09/11 01:18, Daniel Bye wrote:
>>>>
>>>>
>>>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote:
>>>>>
>>>>>
>>>>>
>>>>>> A very quick question.
>>>>>>
>>>>>> PF firewall. One static public IP. About 6 servers on the internal
>>>>>> network (dmz). One server binat in the pf.conf, the rest redirected.
>>>>>>
>>>>>> Possible? Or would it die in the hole?
>>>>>>
>>>>>>
>>>>>>
>>>>> I guess you're concerned about performance and resource usage? If so,
>>>>> this
>>>>> may be helpful.
>>>>>
>>>>> http://www.openbsd.org/faq/pf/perf.html
>>>>>
>>>>> Dan
>>>>>
>>>>>
>>>>>
>>>> Useful info to have, thanks. But no, I'm interested in if the binatting
>>>> will interfere with the rdr's (or vice versa).
>>>>
>>>>
>>> Ah, I see. I don't know, is the straight answer - I've never needed to use
>>> both together. A bit of idle googling seems to suggest it's possible, but
>>> I don't have time right now to dig any deeper.
>>>
>>>
>> Thats exactly what I got too. Nothing definitive to go on. Apparently not a
>> very common arrangement. It *seems* to be working, but there are some weird
>> quirks I can't quite account for. Hence the question to the guys who'd
>> know... :)
>>
> According to pf.conf(5):
>
> Evaluation order of the translation rules is dependent on the type of the
> translation rules and of the direction of a packet. binat rules are
> always evaluated first. Then either the rdr rules are evaluated on an
> inbound packet or the nat rules on an outbound packet. Rules of the same
> type are evaluated in the same order in which they appear in the ruleset.
> The first matching rule decides what action is taken.
>
> The way I interpret this is that when an outside client tries to
> establish a connection to one of your servers, the rdr rules will
> never be evaluated, since the only public IP is translated with binat.
> Outgoing connections shouldn't have a problem, since binat will only
> match one local IP address and the others can be translated with nat
> rules.
>
Allow me to prefix my comments with the fact that that is not what
appears to be happening.
I read that as well, but my reading between the lines was that it is the
_rules_ that are evaluated. So if I have a block all policy and then
open up what I need, then only the _ports_ specified for that binat
machine are passed- the rest continue for further evaluation: the rdr
rules are then assessed and the packets are passed accordingly.
What I see works mostly; I have a binat machine for voip (asterisk), and
the rest of the jumble gets passed to the rdr's or get blocked. However,
where I come unstuck (and this is why I recreated my firewall rules) is
I still can't get outgoing calls to my voip provider. It still eludes
me... So I'm not sure if I'm 100% right or not.
Hence my dilemma... I did get outgoing calls to work somewhere when my
firewall rules were still not quite working, but I couldn't ring in! I
have used an ata and tried to figure out what I'm missing, but I still
haven't got it figured yet.
But I digress. At the time when I started this thread I was having some
odd issues with my rdr servers, but now they appear to be working as
they should (after some blood sweat and tears), fingers crossed. So what
I will do now is finish this problem and get the voip working (which may
or may not be a firewall problem), and then see whether it all works as
beautifully as it should; then I will report back on this thread and let
people know the outcome.
More information about the freebsd-questions
mailing list