On 5 June 2013 17:50, Ville Valkonen <weezeld...@gmail.com> wrote:
>
> Hi,
>
> just confirming one thing: did you flush the pf states between the
> tests? I must admit, I mainly glanced the problem, so sorry if this is
> an old tip. This was the first thing that popped into my mind when
> reading about your solution.
>
Hi Ville!
I am glad to hear some response :) - make me feel more part of misc@.
Yes, in almost all tests done I have flushed the states. Like this:
pfctl -F all && pfctl -d && pfct -ef test.conf
I am starting to guess that the beautiful PF "state machine" really does
not work well with this kind of IP spoofing, to name it better, tproxy.
But this is only a guess.
Oh, and sorry, I forgot to put the new and fresh and working config, here
they are:
# all macros are now living outside, for future anchors files
include "/etc/pf.d/macros.conf"
table <AKAMAI> persist file "/etc/pf.d/akamai.table"
table <INT_NET> persist file "/etc/pf.d/int_net.table"
# okey, I really do not think we will need all that mutch,
# but the machine has a lot of resources, why not spare?
set limit states 6304000
set limit tables 5000
set limit src-nodes 200000
set limit frags 3000
set optimization aggressive
#set state-policy if-bound
# future is netflow/openflow to network analisys, isn't it?
set state-defaults pflow, no-sync
set skip on lo
#block private nets
block in log quick on { \
$ext_if_1, \
$ext_if_2, \
$ext_if_3, \
$squid_master_if, \
$int_if_1 } from $RFC1918 label "blocking RFC1918"
# trying to prioritizing things
#match in all scrub (no-df max-mss 1440)
match proto tcp flags any no state set prio (3,5)
match proto tcp to port { ssh, 9876 } flags any no state set prio(5,7)
match proto tcp to port { http, https } flags any no state set prio (5,6)
match proto tcp from port { http, https } flags any no state set prio (5,6)
match proto udp no state set prio 4
# test NAT IP_REAL -> IP_REAL:
# $ext_if_4 is a PPPoE pseudo-interface
# testing how to route/nat to a emergency link traffic to/from Akamai
pass out quick on $ext_if_4 to <AKAMAI> flags any nat-to ($ext_if_4)
pass in quick on $squid_master_if proto tcp to <AKAMAI> port http flags
any \
route-to ($ext_if_4 $ext_gw_4)
pass in quick on $int_if_1 proto tcp to <AKAMAI> port != http flags any \
route-to ($ext_if_4 $ext_gw_4)
pass in quick on $int_if_1 proto udp to <AKAMAI> port != http \
route-to ($ext_if_4 $ext_gw_4)
pass out quick on { $ext_if_1, $ext_if_2, $ext_if_3 } to <AKAMAI> flags any
\
route-to ($ext_if_4 $ext_gw_4)
# here the magic begins
# just to see how many packets are passing
pass out on $squid_master_if from {<INT_NET>, $int_gw_1 } flags any no state
pass out on $squid_master_if to {<INT_NET>, $int_gw_1 } flags any no state
pass in on $squid_master_if from {<INT_NET>, $int_gw_1 } flags any no state
pass in on $squid_master_if to {<INT_NET>, $int_gw_1 } flags any no state
# route to squid_master
# ...from int_net
pass in quick on $int_if_1 proto tcp from { <INT_NET>, $int_gw_1 } to port
http \
route-to ($squid_master_if $squid_master_gw) flags any no state set prio
(5,6)
# ...from external_net
pass in quick on { $ext_if_1, $ext_if_2, $ext_if_3 } proto tcp from port
http \
to { <INT_NET>, $int_gw_1 } \
route-to ($squid_master_if $squid_master_gw) flags any no state set prio
(5,6)
Ville, if you have some idea about keeping states with tproxy in mind, it
will be very welcomed! Thank you :)
Raimundo Santos
