Re: PF and Binat
On Jul 14, 2008, at 10:28 PM, Parvinder Bhasin wrote: On Jul 14, 2008, at 10:00 PM, Ryan McBride wrote: On Mon, Jul 14, 2008 at 09:48:22PM -0700, Parvinder Bhasin wrote: what gives? Oh, I missed this before: pass in on $ext_if proto tcp from any to 75.36.44.22 port 80 pass in on $ext_if proto tcp from any to 75.36.44.23 port 25 Filtering happens AFTER translation, so you need to filter on the real addresses of the hosts, not the alias addresses. Hmm by real ip do you mean internal ips of the servers?? Yes. -- bk
Re: PF and Binat
On Mon, Jul 14, 2008 at 10:28:18PM -0700, Parvinder Bhasin wrote: >> Filtering happens AFTER translation, so you need to filter on the real >> addresses of the hosts, not the alias addresses. > > Hmm by real ip do you mean internal ips of the servers?? Yes.
Re: PF and Binat
On Jul 14, 2008, at 10:00 PM, Ryan McBride wrote: On Mon, Jul 14, 2008 at 09:48:22PM -0700, Parvinder Bhasin wrote: Actually Ryan, when I do the aliases way , do I still need the binat statements? because when I use aliases and binat statements together, it doesn't work. Without the binat statements and with aliases everything works fine?? If you do aliases without the binat, you're not connecting to your natted hosts, you're connecting to your firewall. I understand that part fine, I use RDR when not using binat. It works fine. I would really like to make it work through binat than the RDR. So what do you think the config should look like? what gives? Oh, I missed this before: pass in on $ext_if proto tcp from any to 75.36.44.22 port 80 pass in on $ext_if proto tcp from any to 75.36.44.23 port 25 Filtering happens AFTER translation, so you need to filter on the real addresses of the hosts, not the alias addresses. Hmm by real ip do you mean internal ips of the servers??
Re: PF and Binat
On Mon, Jul 14, 2008 at 09:48:22PM -0700, Parvinder Bhasin wrote: > Actually Ryan, when I do the aliases way , do I still need the binat > statements? because when I use aliases and binat statements together, > it doesn't work. > Without the binat statements and with aliases everything works fine?? If you do aliases without the binat, you're not connecting to your natted hosts, you're connecting to your firewall. > what gives? Oh, I missed this before: > pass in on $ext_if proto tcp from any to 75.36.44.22 port 80 > pass in on $ext_if proto tcp from any to 75.36.44.23 port 25 Filtering happens AFTER translation, so you need to filter on the real addresses of the hosts, not the alias addresses.
Re: PF and Binat
Thanks Ryan!! That was my hunch too, but wanted to be sure. Another question that arises from this is whenever I reboot the box or do sh /etc/netstart, the ip address that is bound to the external interface (with aliases) would sort of round robin between the different aliases. Is this normal behaviour? On Jul 14, 2008, at 9:31 PM, Ryan McBride wrote: On Mon, Jul 14, 2008 at 09:19:22PM -0700, Parvinder Bhasin wrote: When I try to add the external ips as aliases on my external interface, it works fine. Isn't the BINAT statement sufficient??? do i have to use aliases??? Unless the addresses are being routed to the firewall in question, yes, you have to use aliases. Otherwise your system will not reply to ARP requests for the addresses, and the upstream router will not know where to send the traffic.
Re: PF and Binat
Actually Ryan, when I do the aliases way , do I still need the binat statements? because when I use aliases and binat statements together, it doesn't work. Without the binat statements and with aliases everything works fine?? what gives? On Jul 14, 2008, at 9:31 PM, Ryan McBride wrote: On Mon, Jul 14, 2008 at 09:19:22PM -0700, Parvinder Bhasin wrote: When I try to add the external ips as aliases on my external interface, it works fine. Isn't the BINAT statement sufficient??? do i have to use aliases??? Unless the addresses are being routed to the firewall in question, yes, you have to use aliases. Otherwise your system will not reply to ARP requests for the addresses, and the upstream router will not know where to send the traffic.
Re: PF and Binat
On Mon, Jul 14, 2008 at 09:19:22PM -0700, Parvinder Bhasin wrote: > When I try to add the external ips as aliases on my external interface, > it works fine. > > Isn't the BINAT statement sufficient??? do i have to use aliases??? Unless the addresses are being routed to the firewall in question, yes, you have to use aliases. Otherwise your system will not reply to ARP requests for the addresses, and the upstream router will not know where to send the traffic.
