gwes ohxer:
What is the recommended pf.conf to get symmetrical routing
for incoming and outgoing connections using a dual-homed
gateway and internal hosts with static IPs on both WANs?
I'm assuming "route-to" and "reply-to" are the correct
tools to use.
I've looked at the FAQ, googled for dual & multihomed machines,
and haven't found a clear answer yet.
I know there's a multihome section in the FAQ, but
it only handles pools of nat-ed machines, and the last couple
of lines are not obvious.
Hi, I use policy based routing with PF. I have one local_if and three
external_if.
two of they have own gateway, and one don't have.
Here is my pf.conf, but it havn't comment, but if read carefully - all is
done.
have a nice day with PF=)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if_a = "xl0"
ext_gw_a = "195.26.xxx.xxx"
ext_if_b = "fxp1"
ext_gw_b = "188.230.xxx.xxx"
ext_if_c = "fxp2"
ext_gw_c = "172.20.252.33"
int_if = "fxp0"
table <firewall> const { self }
table <khaer> { 192.168.16.0/24 }
table <admin> { 192.168.16.1, 192.168.16.4, 192.168.16.6,
192.168.16.100 }
table <www> { 192.168.16.2 }
table <1c> { 192.168.16.3 }
table <zvit> { 192.168.16.4 }
table <mail> { 192.168.16.5 }
table <ad> { 192.168.16.7 }
table <fourblock> { 192.168.16.188 }
table <milestone> { 192.168.16.200 }
#table <officeserv> { }
table <dns> { 194.44.xxx.xxx, 217.12.xxx.xxx }
table <kl-bank> { 192.168.16.184, 192.168.16.185, 192.168.16.201,
\
192.168.16.207, 192.168.16.210, 192.168.16.218, \
192.168.16.221, 192.168.16.241 }
table <ipsec> { 192.168.15.0/24 }
table <private> { 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \
127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \
172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \
192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 }
table <bruteforce> persist
table <advertisement> file "/etc/advertisement"
set skip on { lo0, enc0 }
set loginterface $ext_if_b
set timeout { frag 20, tcp.established 3600 }
set block-policy drop
antispoof quick for { fxp1, fxp2, xl0 }
match in all scrub (no-df)
#anchor "ftp-proxy/*"
#queuening
#altq on fxp0 cbq bandwidth 400Kb queue { q_std_a, q_mail_a, q_www_a }
#queue q_std_a bandwidth 10% priority 1 cbq (default)
#queue q_mail_a bandwidth 70% priority 5 cbq (borrow)
#queue q_www_a bandwidth 20% priority 3 cbq (borrow)
#altq on fxp1 cbq bandwidth 4Mb queue { q_std_b, q_admin, q_kl-bank,
q_www_b }
#queue q_std_b bandwidth 5% priority 1 cbq(default)
#queue q_admin bandwidth 40% priority 4 cbq(borrow)
#queue q_kl-bank bandwidth 15% priority 7 cbq(borrow)
#queue q_www_b bandwidth 40% priority 2 cbq(borrow)
#nat
match out on $ext_if_a inet proto tcp from <khaer> to !<khaer> nat-to
$ext_if_a
match out on $ext_if_b inet from <khaer> to !<khaer> nat-to $ext_if_b
match out on $ext_if_b inet from <ipsec> to !<ipsec> nat-to $ext_if_b
match out on $ext_if_c inet proto { tcp, udp } from <admin> to any nat-to
$ext_if_c
#rdr
match in on $ext_if_a inet proto tcp from any to $ext_if_a port { smtp,
smtps, 444, 51111 } tag MAIL_A rdr-to <mail>
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 444 tag
EXT_B rdr-to <mail>
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 666 tag
EXT_B rdr-to <1c> port rdp
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 50666 tag
EXT_B rdr-to <zvit> port rdp
#match in on $ext_if_b inet proto udp from any to $ext_if_b port 27015
tag EXT_B rdr-to <milestome>
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55111 tag
EXT_B rdr-to <milestone>
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 11111 tag
EXT_B rdr-to <milestone> port rdp
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55222 tag
EXT_B rdr-to 192.168.16.26 port ssh
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55333 tag
EXT_B rdr-to 192.168.16.26 port 80
#match in on $int_if inet proto tcp from <1c> to any port www rdr-to
127.0.0.1 port 3128
#match in on $ext_if_b inet proto tcp from any to $ext_if_b port 8080 tag
EXT_B rdr-to 192.168.16.100 port 80
#match in on $ext_if_b inet proto tcp from any to $ext_if_b port { 6001,
6002 } tag EXT_B rdr-to 192.168.16.100
#block
block in quick on $ext_if_a from <bruteforce>
block in quick on $int_if from any to <advertisement>
block quick proto tcp flags /S
block quick proto tcp flags A/A
block in quick on { $ext_if_a, $ext_if_b } from <private> to any
block out quick on { $ext_if_a, $ext_if_b } from any to <private>
block log all
#in
pass in on $ext_if_a inet proto tcp from any to $ext_if_a port 5522
reply-to ($ext_if_a $ext_gw_a)
pass in on $ext_if_b inet proto udp from any to $ext_if_b port domain
reply-to ($ext_if_b $ext_gw_b)
pass in on $ext_if_a inet proto udp from any to $ext_if_a port domain
reply-to ($ext_if_a $ext_gw_a)
pass in on $ext_if_b inet proto tcp from any to $ext_if_b port { ftp,
smtp, 5522, >49151 } reply-to ($ext_if_b $ext_gw_b)
#(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush)
pass in on $ext_if_b inet proto tcp from 212.58.160.36 to $ext_if_b port
https reply-to ($ext_if_b $ext_gw_b)
pass in on $ext_if_b inet proto tcp from any to $ext_if_b port www
synproxy state reply-to ($ext_if_b $ext_gw_b)
pass in quick on $int_if inet proto udp from <khaer> to <firewall> port
bootps
pass in quick on $int_if inet proto { udp, tcp } from { <khaer>, <ipsec>
} to $int_if port domain
#pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128
pass in quick on $int_if inet proto tcp from { <khaer>, <ipsec> } to
$int_if port { ftp, smtp, www, pop3, 3128, 5522, >49151 }
pass in on $int_if inet proto tcp from <mail> to any port { www, smtp,
https, smtps } route-to ($ext_if_a $ext_gw_a)
pass in on $int_if inet proto { tcp, udp } from <kl-bank> to any port
!=25 route-to ($ext_if_b $ext_gw_b)
pass in on $int_if inet proto tcp from <fourblock> to any port !=80
route-to ($ext_if_b $ext_gw_b)
pass in on $int_if from <admin> to any route-to ($ext_if_b $ext_gw_b)
pass in on $int_if from <ipsec> to any route-to ($ext_if_b $ext_gw_b)
pass in on $int_if inet proto { tcp, udp } from { <1c>, <www>, <ad>,
<milestone> } to any port { domain, www, https } route-to ($ext_if_b
$ext_gw_b)
pass in on $int_if inet proto { tcp, udp } from <admin> to fxp2:network
route-to $ext_if_c
pass in on $ext_if_a inet proto tcp from any to <mail> port { smtp,
smtps, 444 } synproxy state reply-to ($ext_if_a $ext_gw_a)
pass in on $ext_if_b inet proto tcp from any to <mail> port 444 synproxy
state reply-to ($ext_if_b $ext_gw_b)
pass in on $ext_if_b inet proto tcp from any to <1c> port 666 synproxy
state reply-to ($ext_if_b $ext_gw_b)
pass in on $ext_if_b inet proto tcp from any to <zvit> port 50666
synproxy state reply-to ($ext_if_b $ext_gw_b)
#pass in on $ext_if_b inet proto udp from any to <milestone> port 27015
reply-to ($ext_if_b $ext_gw_b)
pass in on $ext_if_b inet proto tcp from any to <milestone> port 55111
reply-to ($ext_if_b $ext_gw_b)
pass in on $ext_if_b inet proto tcp from any to <milestone> port 11111
reply-to ($ext_if_b $ext_gw_b)
#pass in on $ext_if_b inet proto tcp from any to 192.168.16.100 port {
6001, 6002, 8080 } reply-to ($ext_if_b $ext_gw_b)
pass in quick reply-to ($ext_if_a $ext_gw_a) tagged MAIL_A
pass in quick reply-to ($ext_if_b $ext_gw_b) tagged EXT_B
#out
pass out quick on $int_if inet proto udp from <firewall> to <khaer> port
bootpc
pass out inet from $ext_if_a route-to ($ext_if_a $ext_gw_a)
pass out inet from $ext_if_b route-to ($ext_if_b $ext_gw_b)
pass out on $int_if inet proto tcp from any to <mail> port { smtp, smtps,
444 }
#pass out on $int_if inet proto tcp from any to <www> port ftp user proxy
pass out on $int_if inet proto tcp from any to { <1c>, <zvit>,
<milestone> } port rdp
#pass out on $int_if inet proto udp from any to <milestone> port 27015
pass out on $int_if inet proto tcp from any to <milestone> port 55111
pass out on $int_if inet proto tcp from any to 192.168.16.26 port { ssh,
http }
pass out on $int_if from any to 192.168.15.0/24
#pass out on $int_if inet proto tcp from any to 192.168.16.100 port { 80,
6001, 6002 }
pass out on { $ext_if_a, $ext_if_b, $ext_if_c }
pass out on $int_if inet proto icmp
pass out on $int_if inet proto tcp from $int_if to { 192.168.16.6,
192.168.16.16 } port { ssh, mysql }
