On Wed, Feb 9, 2011 at 7:40 PM, Da Rock <[email protected]> wrote: > On 02/09/11 22:38, Maxim Khitrov wrote: >> >> On Wed, Feb 9, 2011 at 6:34 AM, Da Rock >> <[email protected]> wrote: >> >>> >>> On 02/09/11 21:16, Daniel Bye wrote: >>> >>>> >>>> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote: >>>> >>>> >>>>> >>>>> On 02/09/11 01:18, Daniel Bye wrote: >>>>> >>>>> >>>>>> >>>>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote: >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> A very quick question. >>>>>>> >>>>>>> PF firewall. One static public IP. About 6 servers on the internal >>>>>>> network (dmz). One server binat in the pf.conf, the rest redirected. >>>>>>> >>>>>>> Possible? Or would it die in the hole? >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> I guess you're concerned about performance and resource usage? If so, >>>>>> this >>>>>> may be helpful. >>>>>> >>>>>> http://www.openbsd.org/faq/pf/perf.html >>>>>> >>>>>> Dan >>>>>> >>>>>> >>>>>> >>>>> >>>>> Useful info to have, thanks. But no, I'm interested in if the binatting >>>>> will interfere with the rdr's (or vice versa). >>>>> >>>>> >>>> >>>> Ah, I see. I don't know, is the straight answer - I've never needed to >>>> use >>>> both together. A bit of idle googling seems to suggest it's possible, >>>> but >>>> I don't have time right now to dig any deeper. >>>> >>>> >>> >>> Thats exactly what I got too. Nothing definitive to go on. Apparently not >>> a >>> very common arrangement. It *seems* to be working, but there are some >>> weird >>> quirks I can't quite account for. Hence the question to the guys who'd >>> know... :) >>> >> >> According to pf.conf(5): >> >> Evaluation order of the translation rules is dependent on the type of >> the >> translation rules and of the direction of a packet. binat rules are >> always evaluated first. Then either the rdr rules are evaluated on >> an >> inbound packet or the nat rules on an outbound packet. Rules of the >> same >> type are evaluated in the same order in which they appear in the >> ruleset. >> The first matching rule decides what action is taken. >> >> The way I interpret this is that when an outside client tries to >> establish a connection to one of your servers, the rdr rules will >> never be evaluated, since the only public IP is translated with binat. >> Outgoing connections shouldn't have a problem, since binat will only >> match one local IP address and the others can be translated with nat >> rules. >> > > Allow me to prefix my comments with the fact that that is not what appears > to be happening. > > I read that as well, but my reading between the lines was that it is the > _rules_ that are evaluated. So if I have a block all policy and then open up > what I need, then only the _ports_ specified for that binat machine are > passed- the rest continue for further evaluation: the rdr rules are then > assessed and the packets are passed accordingly. > > What I see works mostly; I have a binat machine for voip (asterisk), and the > rest of the jumble gets passed to the rdr's or get blocked. However, where I > come unstuck (and this is why I recreated my firewall rules) is I still > can't get outgoing calls to my voip provider. It still eludes me... So I'm > not sure if I'm 100% right or not. > > Hence my dilemma... I did get outgoing calls to work somewhere when my > firewall rules were still not quite working, but I couldn't ring in! I have > used an ata and tried to figure out what I'm missing, but I still haven't > got it figured yet. > > But I digress. At the time when I started this thread I was having some odd > issues with my rdr servers, but now they appear to be working as they should > (after some blood sweat and tears), fingers crossed. So what I will do now > is finish this problem and get the voip working (which may or may not be a > firewall problem), and then see whether it all works as beautifully as it > should; then I will report back on this thread and let people know the > outcome. >
Are you using binat specifically for voip or is there some other reason? I used to run a voip appliance behind m0n0wall (FreeBSD 6) using regular nat and port forwarding without any problems. I'm not familiar with asterisk, but I assume there is a way to restrict the port range that is used for incoming and outgoing connections. Binat shouldn't be needed for this if that's your only reason for going that route. - Max _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
