pf, binat, rdr, and one ip
Maxim Khitrov
max at mxcrypt.com
Thu Feb 10 00:54:43 UTC 2011
On Wed, Feb 9, 2011 at 7:40 PM, Da Rock
<freebsd-questions at herveybayaustralia.com.au> wrote:
> On 02/09/11 22:38, Maxim Khitrov wrote:
>>
>> On Wed, Feb 9, 2011 at 6:34 AM, Da Rock
>> <freebsd-questions at herveybayaustralia.com.au> wrote:
>>
>>>
>>> On 02/09/11 21:16, Daniel Bye wrote:
>>>
>>>>
>>>> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote:
>>>>
>>>>
>>>>>
>>>>> On 02/09/11 01:18, Daniel Bye wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> A very quick question.
>>>>>>>
>>>>>>> PF firewall. One static public IP. About 6 servers on the internal
>>>>>>> network (dmz). One server binat in the pf.conf, the rest redirected.
>>>>>>>
>>>>>>> Possible? Or would it die in the hole?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> I guess you're concerned about performance and resource usage? If so,
>>>>>> this
>>>>>> may be helpful.
>>>>>>
>>>>>> http://www.openbsd.org/faq/pf/perf.html
>>>>>>
>>>>>> Dan
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Useful info to have, thanks. But no, I'm interested in if the binatting
>>>>> will interfere with the rdr's (or vice versa).
>>>>>
>>>>>
>>>>
>>>> Ah, I see. I don't know, is the straight answer - I've never needed to
>>>> use
>>>> both together. A bit of idle googling seems to suggest it's possible,
>>>> but
>>>> I don't have time right now to dig any deeper.
>>>>
>>>>
>>>
>>> Thats exactly what I got too. Nothing definitive to go on. Apparently not
>>> a
>>> very common arrangement. It *seems* to be working, but there are some
>>> weird
>>> quirks I can't quite account for. Hence the question to the guys who'd
>>> know... :)
>>>
>>
>> According to pf.conf(5):
>>
>> Evaluation order of the translation rules is dependent on the type of
>> the
>> translation rules and of the direction of a packet. binat rules are
>> always evaluated first. Then either the rdr rules are evaluated on
>> an
>> inbound packet or the nat rules on an outbound packet. Rules of the
>> same
>> type are evaluated in the same order in which they appear in the
>> ruleset.
>> The first matching rule decides what action is taken.
>>
>> The way I interpret this is that when an outside client tries to
>> establish a connection to one of your servers, the rdr rules will
>> never be evaluated, since the only public IP is translated with binat.
>> Outgoing connections shouldn't have a problem, since binat will only
>> match one local IP address and the others can be translated with nat
>> rules.
>>
>
> Allow me to prefix my comments with the fact that that is not what appears
> to be happening.
>
> I read that as well, but my reading between the lines was that it is the
> _rules_ that are evaluated. So if I have a block all policy and then open up
> what I need, then only the _ports_ specified for that binat machine are
> passed- the rest continue for further evaluation: the rdr rules are then
> assessed and the packets are passed accordingly.
>
> What I see works mostly; I have a binat machine for voip (asterisk), and the
> rest of the jumble gets passed to the rdr's or get blocked. However, where I
> come unstuck (and this is why I recreated my firewall rules) is I still
> can't get outgoing calls to my voip provider. It still eludes me... So I'm
> not sure if I'm 100% right or not.
>
> Hence my dilemma... I did get outgoing calls to work somewhere when my
> firewall rules were still not quite working, but I couldn't ring in! I have
> used an ata and tried to figure out what I'm missing, but I still haven't
> got it figured yet.
>
> But I digress. At the time when I started this thread I was having some odd
> issues with my rdr servers, but now they appear to be working as they should
> (after some blood sweat and tears), fingers crossed. So what I will do now
> is finish this problem and get the voip working (which may or may not be a
> firewall problem), and then see whether it all works as beautifully as it
> should; then I will report back on this thread and let people know the
> outcome.
>
Are you using binat specifically for voip or is there some other
reason? I used to run a voip appliance behind m0n0wall (FreeBSD 6)
using regular nat and port forwarding without any problems. I'm not
familiar with asterisk, but I assume there is a way to restrict the
port range that is used for incoming and outgoing connections. Binat
shouldn't be needed for this if that's your only reason for going that
route.
- Max
More information about the freebsd-questions
mailing list