Hello all,
I'm trying to redirect specific ports through a pf firewall that
loadbalances 2 outgoing net connections and having some problems.
This firewall connects to 2 different ISPs. It also performs
greylisting and pre-filtering of mail for viruses(virii?). I know
that I need to work in the 'reply-to' option somehow but, I can't see
to get it working.
I've put ** in front of the lines that I've added to try and redirect
the traffic, that don't seem to be working. Any help you could lend
would be greatly appreciated. If the problem is covered elsewhere, I
could just use a hint where to find it (have looked around quite a
bit).
--------------
## pf.conf ##
ext_if1="fxp1"
ext_gw1="2.2.2.2"
ext_if2="fxp2"
ext_gw2="3.3.3.3"
int_if="fxp0"
lan_net="192.168.1.1/24"
exch_svr="192.168.1.150"
exch_svc="{ 80, 443 }"
table <spamd> persist
table <spamd-white> persist
table <mywhite> persist file "/root/goodips"
table <myblack> persist file "/root/badips"
scrub in
# nat all outbound traffic on each interface
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $int_if proto tcp from $exch_svr to port smtp \
-> 127.0.0.1 port smtp
rdr pass on $ext_if1 proto tcp from <spamd> to port smtp \
-> 127.0.0.1 port spamd
rdr pass on $ext_if2 proto tcp from <spamd> to port smtp \
-> 127.0.0.1 port spamd
rdr pass on $ext_if1 proto tcp from <mywhite> to port smtp \
-> 127.0.0.1 port smtp
rdr pass on $ext_if2 proto tcp from <mywhite> to port smtp \
-> 127.0.0.1 port smtp
rdr pass on $ext_if1 proto tcp from !<spamd-white> to port smtp \
-> 127.0.0.1 port spamd
rdr pass on $ext_if2 proto tcp from !<spamd-white> to port smtp \
-> 127.0.0.1 port spamd
**rdr on $ext_if1 proto tcp from any to port $exch_svc -> 192.168.1.150
**rdr on $ext_if1 proto tcp from any to port 407 -> 192.168.1.21
# Default block all traffic incoming & outgoing
block all
# pass all outgoing packets on internal interface
pass out quick on $int_if from any to $int_if:network
# pass in quick any packets destined for the gateway itself from the lan
pass in quick on $int_if from $int_if:network to $int_if
# load balance outgoing tcp traffic from internal network
pass in quick on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
# load balance outgoing udp & icmp traffic from internal network
pass in quick on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $lan_net to any keep state
# pass out rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# ext_if2 & $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any \
flags S/SA modulate state
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any \
flags S/SA modulate state
pass quick on { lo }
antispoof quick for { lo }
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
$ext_if1 port ssh keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to \
$ext_if2 port ssh keep state
#pass in on $ext_if proto tcp to $ext_gw1 port > 49151 user proxy keep state
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
$ext_if1 port smtp keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to \
$ext_if2 port smtp keep state
**pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
** $exch_svr port $exch_svc keep state
**pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
** any port 407 keep state
Thanks!
James Harless
--
What would Bilano do?
