[FreeBSD] port bazli routing

[Veysi Gümüs]

Mrb,   PF port bazinda routing yapmak istiyorum.yazmis oldugum kurallarda ise hala default gw den cikmaya calisiyor. 25 port giden isteklerimi su interfaceden cikmasini istyorum.yazmis oldugum kurallarda nasil bir yanlislik yapmis olabilirim.   ikinci bir sorun ise pflog da surekli bir blocklama var neyi blocklamaya calistigini bulamadim.kurallar ve logtaki block satirlarini asagi satirlarda yazdim   Saygilar.... Veysi GUMUS   ################################################### # Macros ################################################### lan_net = "{ 10.0.0.0/24, 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24  }" int_if = "bge0" ext_if = "vr0" ext_if2 = "vr1" ext_gw1 = "192.168.100.213" ext_gw2 = "192.168.110.25" fwips = "{127.0.0.1, 10.0.0.2, 192.168.100.212, 192.168.110.26}" ################################################## #Tanimlar ################################################## table <msn> persist file "/usr/local/etc/fw/msn" table <kamera> persist file "/usr/local/etc/fw/kamera" table <ftp> persist file "/usr/local/etc/fw/ftp" table <sigorta> persist file "/usr/local/etc/fw/sigorta" table <banka> persist file "/usr/local/etc/fw/banka" table <fbs> persist file "/usr/local/etc/fw/fbs"   ################################################### # Set Optimizations ################################################### set limit { frags 30000, states 25000 } set loginterface $ext_if scrub in all   ################################################## #Nat Kurallari ################################################## nat on $ext_if from $lan_net to any -> ($ext_if) nat on $ext_if2 from $lan_net to any -> ($ext_if2) rdr on $int_if proto tcp from any to any port 80 -> 10.0.0.2 port 8080   ################################################## #Firewall Kurallari ################################################## block in log all block out log all pass in  quick on lo0 all pass out quick on lo0 all   pass in log on $int_if route-to \     { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \     proto tcp from $fwips to any flags S/SA modulate state   pass in log on $int_if route-to \     { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \     proto { udp, icmp } from $fwips to any keep state   ################################################## #Port Bazli Routing ##################################################   pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 25  keep state pass out  quick on $ext_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 25  keep state ################################################## #1.Adsl Uzerinden Gelisler ################################################## pass in quick log on $ext_if proto tcp from any to any port = 22 flags S/SA pass out quick on $ext_if proto { tcp, udp, icmp } from $ext_if  to any keep state pass out on $ext_if2  route-to ($ext_if $ext_gw1) from $ext_if to any keep state   ################################################## #2.Adsl Uzerinden Gelisler ################################################## pass in quick log on $ext_if2 proto tcp from any to any port {25,80,110} flags S/SA pass out quick on $ext_if2 proto { tcp, udp, icmp } from $ext_if2  to any keep state pass out on $ext_if  route-to ($ext_if2 $ext_gw2) from $ext_if2 to any keep state ################################################## #Localden Firewall Gelisler ################################################## pass in quick log on $int_if proto tcp from $lan_net to any port { 22, 25, 80, 110, 8080, 3128, 12200 } flags S/SA keep state pass in quick log on $int_if proto tcp from <msn> to any port = 1863 flags S/SA keep state pass in quick log on $int_if proto tcp from <kamera> to any port = 18082 flags S/SA keep state pass in quick log on $int_if proto tcp from <sigorta> to any port = 12173 flags S/SA keep state pass in quick log on $int_if proto tcp from <banka> to any port = 443 flags S/SA keep state pass in quick log on $int_if proto tcp from <fbs> to any port = 33000 flags S/SA keep state pass in quick log on $int_if proto tcp from <ftp> to any port = 21 flags S/SA keep state pass in quick on $int_if proto { udp, icmp } from $lan_net  to any keep state ################################################## #Firewalldan Gidisler ################################################## pass out quick log on $int_if proto tcp from $lan_net to any port { 22, 25, 80, 110, 8080, 12200 } flags S/SA keep state pass out quick log on $ext_if2 proto tcp from any to any port { 22, 25, 80, 110, 8080, 12200 } flags S/SA keep state pass out quick on $int_if proto { udp, icmp } from $lan_net  to any keep state ****************************************************************************************************** log dosyasındaki blocklamalar sürekli tekrarliyor.   tcpdump -eni pflog0   10:17:41.415182 rule 5/0(match): block out on vr0: 192.168.100.212 > 0.0.0.0:  pfsync 452 10:17:41.415190 rule 5/0(match): block out on vr0: 192.168.100.212 > 0.0.0.0:  pfsync 228 10:17:41.425677 rule 36/0(match): pass in on bge0: 10.0.0.21.3405 > 10.0.0.2.8080: S 2961571271:2961571271(0) win 65535 <mss 1460,nop,nop,sackOK> 10:17:41.426144 rule 5/0(match): block out on vr0: 192.168.100.212 > 0.0.0.0:  pfsync 228 10:17:41.426151 rule 5/0(match): block out on vr0: 192.168.100.212 > 0.0.0.0:  pfsync 228 10:17:41.436043 rule 36/0(match): pass in on bge0: 10.0.0.21.3406 > 10.0.0.2.8080: S 2262277316:2262277316(0) win 65535 <mss 1460,nop,nop,sackOK> 10:17:41.437074 rule 5/0(match): block out on vr0: 192.168.100.212 > 0.0.0.0:  pfsync 228 10:17:41.437081 rule 5/0(match): block out on vr0: 192.168.100.212 > 0.0.0.0:  pfsync 228 10:17:41.455614 rule 36/0(match): pass in on bge0: 10.0.0.21.3409 > 10.0.0.2.8080: S 3840730374:3840730374(0) win 65535 <mss 1460,nop,nop,sackOK> 10:17:41.456101 rule 5/0(match): block out on vr0: 192.168.100.212 > 0.0.0.0:  pfsync 228 10:17:41.456108 rule 5/0(match): block out on vr0: 192.168.100.212 > 0.0.0.0:  pfsync 228 10:17:41.482980 rule 36/0(match): pass in on bge0: 10.0.0.21.3410 > 10.0.0.2.8080: S 230439576:230439576(0) win 65535 <mss 1460,nop,nop,sackOK>