Hi Siju,
isn't this:
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
<hifxchn2> to any keep state
meant to be like this:
pass in quick on $int_if route-to { ( $ext_if2 $ext_ifgw ) } from
<hifxchn2> to any keep state
Regards,
Charlie
Siju George wrote:
Hi,
I have firewall
sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection
I have a line in pf.conf
to route requests from hosts in <hifxchn2> through the rl2 internet
connection but it does not seem to work.
the full pf.conf is below
===========================================================================================================
##NETWORK INTERFACES
#
int_if="sk0" #HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if="rl1" #Dataone Connection - "rl2" interface
Connected to the Dataone Router.
ext_if2="rl2"
ext_ifgw="122.166.40.1"
proxy="122.166.40.36"
#Private IP Address Range Specified by RFC 1918.
#
priv_nets="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table <bypass-squid-users> persist file "/etc/pf-tables/bypass-squid-users"
#Websites to which bypassing SQUID is allowed.
#
table <bypass-squid-sites> persist file "/etc/pf-tables/bypass-squid-sites"
table <lanspl> persist file "/etc/pf-tables/lanspl"
table <adm> persist file "/etc/pf-tables/adms"
table <vtcservers> persist file "/etc/pf-tables/vtcservers"
table <bannedIPs> persist file "/etc/pf-tables/bannedIPs"
table <authpf_users> persist
table <hifxchn2> persist file "/etc/pf-tables/hifxchn2"
#Traffic Normalization - Required for "pppoe" connection.
#
scrub on $ext_if all no-df random-id fragment reassemble
###"Network Address Translation" and "Port Redirection"
###The First Matching rule wins here for any packet and no further
"nat" or "rdr" rules are checked.
nat-anchor "authpf/*"
rdr-anchor "authpf/*"
binat-anchor "authpf/*"
nat pass on $ext_if from <adm> to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_if:network to any port 21 ->
127.0.0.1 port 8021
# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 ->
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 ->
172.16.4.12 port 443
###
#
nat on $ext_if from <bypass-squid-users> to any -> ($ext_if)
#NAT connections to specified websites.
nat on $ext_if from any to <bypass-squid-sites> port { 80, 443 } -> ($ext_if)
nat on $ext_if from any to <bypass-squid-sites> port { 80, 443 } -> ($ext_if2)
#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }
#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#
no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1 port 8080
###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.
block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep state
#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to <bannedIPs>
#Allow all traffic on the localhost interface.
pass quick on lo0 all
#Allow Traffic from HIFX LAN to pass through the firewall & also allow
traffic from firewall to enter the LAN.
pass in quick on $int_if from any to $int_if keep state
pass out quick on $int_if from $int_if to any keep state
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
<hifxchn2> to any keep state
pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state
#Allow Trafficfrom Firewall to pass out to the Internet.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if2 proto { udp, icmp } all keep state
#ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 21 keep state
#authpf
anchor "authpf/*"
====================================================================================================
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:50:fc:7d:4e:50
media: Ethernet autoselect
status: no carrier
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:e0:4d:06:2b:65
groups: egress extif
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 122.166.40.36 netmask 0xffffff00 broadcast 122.166.40.255
inet6 fe80::2e0:4dff:fe06:2b65%rl1 prefixlen 64 scopeid 0x2
rl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:e0:4d:06:2b:68
groups: extif
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 122.166.40.99 netmask 0xffffff00 broadcast 122.166.40.255
inet6 fe80::2e0:4dff:fe06:2b68%rl2 prefixlen 64 scopeid 0x3
sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0f:3d:88:9e:d4
media: Ethernet autoselect (100baseTX full-duplex,flag0,flag1)
status: active
inet 172.17.1.0 netmask 0xfff00000 broadcast 172.31.255.255
inet6 fe80::20f:3dff:fe88:9ed4%sk0 prefixlen 64 scopeid 0x4
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
groups: carp
enc0: flags=0<> mtu 1536
=================================================================================
--
Charlie Clark
Network Engineer
Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK
Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/
Lemon Computing is a limited company registered in England & Wales under
Company No. 03697052
