Hi Siju, isn't this:
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from <hifxchn2> to any keep state meant to be like this: pass in quick on $int_if route-to { ( $ext_if2 $ext_ifgw ) } from <hifxchn2> to any keep state Regards, Charlie Siju George wrote:
Hi, I have firewall sk0 - LAN Interface rl1 - Primary internet connection rl2 - secondary Internet connection I have a line in pf.conf to route requests from hosts in <hifxchn2> through the rl2 internet connection but it does not seem to work. the full pf.conf is below =========================================================================================================== ##NETWORK INTERFACES # int_if="sk0" #HiFX LAN Interface - Connected to Main Swithches - using 172.16.0.0/12 Range. ext_if="rl1" #Dataone Connection - "rl2" interface Connected to the Dataone Router. ext_if2="rl2" ext_ifgw="122.166.40.1" proxy="122.166.40.36" #Private IP Address Range Specified by RFC 1918. # priv_nets="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }" #Computers in HiFX LAN that are permitted to bypass squid to make HTTP and HTTPS connections directly to the Internet # table <bypass-squid-users> persist file "/etc/pf-tables/bypass-squid-users" #Websites to which bypassing SQUID is allowed. # table <bypass-squid-sites> persist file "/etc/pf-tables/bypass-squid-sites" table <lanspl> persist file "/etc/pf-tables/lanspl" table <adm> persist file "/etc/pf-tables/adms" table <vtcservers> persist file "/etc/pf-tables/vtcservers" table <bannedIPs> persist file "/etc/pf-tables/bannedIPs" table <authpf_users> persist table <hifxchn2> persist file "/etc/pf-tables/hifxchn2" #Traffic Normalization - Required for "pppoe" connection. # scrub on $ext_if all no-df random-id fragment reassemble ###"Network Address Translation" and "Port Redirection" ###The First Matching rule wins here for any packet and no further "nat" or "rdr" rules are checked. nat-anchor "authpf/*" rdr-anchor "authpf/*" binat-anchor "authpf/*" nat pass on $ext_if from <adm> to any -> ($ext_if) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021 # redirect to beergas website rdr pass on $ext_if inet proto tcp from any to any port 80 -> 172.16.4.12 port 80 rdr pass on $ext_if inet proto tcp from any to any port 443 -> 172.16.4.12 port 443 ### # nat on $ext_if from <bypass-squid-users> to any -> ($ext_if) #NAT connections to specified websites. nat on $ext_if from any to <bypass-squid-sites> port { 80, 443 } -> ($ext_if) nat on $ext_if from any to <bypass-squid-sites> port { 80, 443 } -> ($ext_if2) #Block NAT for other hosts to port 80 and 443 on the Internet. #They should all go via SQUID CACHE PROXY # no nat on $ext_if from any to any port { 80, 443 } no nat on $ext_if2 from any to any port { 80, 443 } #Allow NAT for rest of the Computers to Internet - port 80 and 443 is already blocked for these hosts by the rule above. # nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if2 from $int_if:network to any -> ($ext_if2) #The SQUID CACHE PROXY Listens on localhost interface port 8080 for security reasons. #PROXY configuration for computers in the HIFX LAN Machine in the IP Address of $int_if and port 8080 #Hence all Traffic comming to $int_if port 8080 should be redirected to SQUID running on localhost:8080 # no rdr on $int_if from any to 70.86.222.30 rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1 port 8080 ###Filter Rules. ###The last matching rule wins here for packets except when the quick word is used in which case Further rules are not processed. #Starting with a Deny all Traffic Policy. Later rules open up the firewall for required traffic. block all pass in quick on $ext_if inet proto tcp from any to any port ssh keep state #Blocking RFC1918 Traffic. block in log quick on $ext_if from $priv_nets to any block out log quick on $ext_if from any to $priv_nets block out log quick on $ext_if from any to <bannedIPs> #Allow all traffic on the localhost interface. pass quick on lo0 all #Allow Traffic from HIFX LAN to pass through the firewall & also allow traffic from firewall to enter the LAN. pass in quick on $int_if from any to $int_if keep state pass out quick on $int_if from $int_if to any keep state pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from <hifxchn2> to any keep state pass in quick on $int_if from $int_if:network to any keep state pass out quick on $int_if from any to $int_if:network keep state #Allow Trafficfrom Firewall to pass out to the Internet. pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if2 proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $ext_if2 proto { udp, icmp } all keep state #ftp-proxy anchor "ftp-proxy/*" pass out proto tcp from $proxy to any port 21 keep state #authpf anchor "authpf/*" ==================================================================================================== # ifconfig -a lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:50:fc:7d:4e:50 media: Ethernet autoselect status: no carrier rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:e0:4d:06:2b:65 groups: egress extif media: Ethernet autoselect (100baseTX full-duplex) status: active inet 122.166.40.36 netmask 0xffffff00 broadcast 122.166.40.255 inet6 fe80::2e0:4dff:fe06:2b65%rl1 prefixlen 64 scopeid 0x2 rl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:e0:4d:06:2b:68 groups: extif media: Ethernet autoselect (100baseTX full-duplex) status: active inet 122.166.40.99 netmask 0xffffff00 broadcast 122.166.40.255 inet6 fe80::2e0:4dff:fe06:2b68%rl2 prefixlen 64 scopeid 0x3 sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0f:3d:88:9e:d4 media: Ethernet autoselect (100baseTX full-duplex,flag0,flag1) status: active inet 172.17.1.0 netmask 0xfff00000 broadcast 172.31.255.255 inet6 fe80::20f:3dff:fe88:9ed4%sk0 prefixlen 64 scopeid 0x4 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 pfsync0: flags=0<> mtu 1460 groups: carp enc0: flags=0<> mtu 1536 =================================================================================
-- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England & Wales under Company No. 03697052