Re: route-to doesnot work for me - what am i doing wrong
On Tue, Oct 14, 2008 at 3:50 PM, Stuart Henderson [EMAIL PROTECTED] wrote: pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state to route requests from hosts in hifxchn2 through the rl2 internet connection but it does not seem to work. you should route the packets in the outgoing direction. Hi Stuart, I did not get what you said. Could you please give an example ? Thanks Siju
route-to doesnot work for me - what am i doing wrong
Hi,
I have firewall
sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection
I have a line in pf.conf
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
hifxchn2 to any keep state
to route requests from hosts in hifxchn2 through the rl2 internet
connection but it does not seem to work.
the full pf.conf is below
===
##NETWORK INTERFACES
#
int_if=sk0#HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if=rl1#Dataone Connection - rl2 interface
Connected to the Dataone Router.
ext_if2=rl2
ext_ifgw=122.166.40.1
proxy=122.166.40.36
#Private IP Address Range Specified by RFC 1918.
#
priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table bypass-squid-users persist file /etc/pf-tables/bypass-squid-users
#Websites to which bypassing SQUID is allowed.
#
table bypass-squid-sites persist file /etc/pf-tables/bypass-squid-sites
table lanspl persist file /etc/pf-tables/lanspl
table adm persist file /etc/pf-tables/adms
table vtcservers persist file /etc/pf-tables/vtcservers
table bannedIPs persist file /etc/pf-tables/bannedIPs
table authpf_users persist
table hifxchn2 persist file /etc/pf-tables/hifxchn2
#Traffic Normalization - Required for pppoe connection.
#
scrub on $ext_if all no-df random-id fragment reassemble
###Network Address Translation and Port Redirection
###The First Matching rule wins here for any packet and no further
nat or rdr rules are checked.
nat-anchor authpf/*
rdr-anchor authpf/*
binat-anchor authpf/*
nat pass on $ext_if from adm to any - ($ext_if)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp from $int_if:network to any port 21 -
127.0.0.1 port 8021
# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 -
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 -
172.16.4.12 port 443
###
#
nat on $ext_if from bypass-squid-users to any - ($ext_if)
#NAT connections to specified websites.
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if)
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if2)
#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }
#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if2 from $int_if:network to any - ($ext_if2)
#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#
no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080
###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.
block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep state
#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to bannedIPs
#Allow all traffic on the localhost interface.
pass quick on lo0 all
#Allow Traffic from HIFX LAN to pass through the firewall also allow
traffic from firewall to enter the LAN.
pass in quick on $int_if from any to $int_if keep state
pass out quick on $int_if from $int_if to any keep state
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
hifxchn2 to any keep state
pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state
#Allow Trafficfrom Firewall to pass out to the Internet.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if2 proto { udp, icmp } all keep state
#ftp-proxy
anchor ftp-proxy/*
pass out proto tcp from $proxy to any port 21 keep state
#authpf
anchor authpf/*
# ifconfig -a
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
Re: route-to doesnot work for me - what am i doing wrong
On Tue, 14 Oct 2008 14:33:19 +0700, Siju George [EMAIL PROTECTED]
wrote:
Hi Siju,
I think there are several things you need to understand more about pf
quick option.
If you don't use quick option on rules, then it will be last matching rule
applied, but if you you use quick option, the first matching rule will be
applied, the rest will be ignored. So, if you use quick option the filter
order would be;
rule 1 # very detail
rule 2 # pretty much detail
rule 3 # detail
rule 4 # not detail
something like;
pass in quick on $int_if inet proto tcp from net_example1 to internet
pass in quick on $int_if inet from net_example1 to internet
pass in quick on $int_if from net_example1 to any
pass in quick on $int_if
if you don't use quick then it would be;
rule 1 # not detail
rule 2 # detail
rule 3 # pretty much detail
rule 4 # very detail
something like;
pass in on $int_if
pass in on $int_if from net_example1 to any
pass in on $int_if from net_example1 to internet
pass in on $int_if inet from net_example1 to internet
pass in on $int_if inet proto tcp from net_example to internet
HTH,
Insan
Hi,
I have firewall
sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection
I have a line in pf.conf
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
hifxchn2 to any keep state
to route requests from hosts in hifxchn2 through the rl2 internet
connection but it does not seem to work.
the full pf.conf is below
===
##NETWORK INTERFACES
#
int_if=sk0#HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if=rl1#Dataone Connection - rl2 interface
Connected to the Dataone Router.
ext_if2=rl2
ext_ifgw=122.166.40.1
proxy=122.166.40.36
#Private IP Address Range Specified by RFC 1918.
#
priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table bypass-squid-users persist file
/etc/pf-tables/bypass-squid-users
#Websites to which bypassing SQUID is allowed.
#
table bypass-squid-sites persist file
/etc/pf-tables/bypass-squid-sites
table lanspl persist file /etc/pf-tables/lanspl
table adm persist file /etc/pf-tables/adms
table vtcservers persist file /etc/pf-tables/vtcservers
table bannedIPs persist file /etc/pf-tables/bannedIPs
table authpf_users persist
table hifxchn2 persist file /etc/pf-tables/hifxchn2
#Traffic Normalization - Required for pppoe connection.
#
scrub on $ext_if all no-df random-id fragment reassemble
###Network Address Translation and Port Redirection
###The First Matching rule wins here for any packet and no further
nat or rdr rules are checked.
nat-anchor authpf/*
rdr-anchor authpf/*
binat-anchor authpf/*
nat pass on $ext_if from adm to any - ($ext_if)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp from $int_if:network to any port 21 -
127.0.0.1 port 8021
# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 -
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 -
172.16.4.12 port 443
###
#
nat on $ext_if from bypass-squid-users to any - ($ext_if)
#NAT connections to specified websites.
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } -
($ext_if)
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } -
($ext_if2)
#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }
#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if2 from $int_if:network to any - ($ext_if2)
#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#
no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080
###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.
block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep
state
#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to bannedIPs
#Allow all traffic on the localhost interface.
pass quick on lo0 all
Re: route-to doesnot work for me - what am i doing wrong
If you don't use quick option on rules, then it will be last matching rule applied, but if you you use quick option, the first matching rule will be applied, the rest will be ignored. So, if you use quick option the filter order would be; picking just the in...on $int_if rules in order; pass in quick on $int_if from any to $int_if keep state pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state pass in quick on $int_if from $int_if:network to any keep state so this is not a problem. pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state to route requests from hosts in hifxchn2 through the rl2 internet connection but it does not seem to work. you should route the packets in the outgoing direction.
Re: route-to doesnot work for me - what am i doing wrong
Hi Siju,
isn't this:
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
hifxchn2 to any keep state
meant to be like this:
pass in quick on $int_if route-to { ( $ext_if2 $ext_ifgw ) } from
hifxchn2 to any keep state
Regards,
Charlie
Siju George wrote:
Hi,
I have firewall
sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection
I have a line in pf.conf
to route requests from hosts in hifxchn2 through the rl2 internet
connection but it does not seem to work.
the full pf.conf is below
===
##NETWORK INTERFACES
#
int_if=sk0#HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if=rl1#Dataone Connection - rl2 interface
Connected to the Dataone Router.
ext_if2=rl2
ext_ifgw=122.166.40.1
proxy=122.166.40.36
#Private IP Address Range Specified by RFC 1918.
#
priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table bypass-squid-users persist file /etc/pf-tables/bypass-squid-users
#Websites to which bypassing SQUID is allowed.
#
table bypass-squid-sites persist file /etc/pf-tables/bypass-squid-sites
table lanspl persist file /etc/pf-tables/lanspl
table adm persist file /etc/pf-tables/adms
table vtcservers persist file /etc/pf-tables/vtcservers
table bannedIPs persist file /etc/pf-tables/bannedIPs
table authpf_users persist
table hifxchn2 persist file /etc/pf-tables/hifxchn2
#Traffic Normalization - Required for pppoe connection.
#
scrub on $ext_if all no-df random-id fragment reassemble
###Network Address Translation and Port Redirection
###The First Matching rule wins here for any packet and no further
nat or rdr rules are checked.
nat-anchor authpf/*
rdr-anchor authpf/*
binat-anchor authpf/*
nat pass on $ext_if from adm to any - ($ext_if)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp from $int_if:network to any port 21 -
127.0.0.1 port 8021
# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 -
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 -
172.16.4.12 port 443
###
#
nat on $ext_if from bypass-squid-users to any - ($ext_if)
#NAT connections to specified websites.
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if)
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if2)
#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }
#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if2 from $int_if:network to any - ($ext_if2)
#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#
no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080
###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.
block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep state
#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to bannedIPs
#Allow all traffic on the localhost interface.
pass quick on lo0 all
#Allow Traffic from HIFX LAN to pass through the firewall also allow
traffic from firewall to enter the LAN.
pass in quick on $int_if from any to $int_if keep state
pass out quick on $int_if from $int_if to any keep state
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
hifxchn2 to any keep state
pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state
#Allow Trafficfrom Firewall to pass out to the Internet.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if2 proto { udp, icmp } all keep state
#ftp-proxy
anchor ftp-proxy/*
pass out proto tcp from $proxy to any port 21 keep state
#authpf
anchor authpf/*
Re: route-to doesnot work for me - what am i doing wrong
Thanks I figured it out.
I missed the nat rule for $ext_if2
--Siju
On Tue, Oct 14, 2008 at 1:03 PM, Siju George [EMAIL PROTECTED] wrote:
Hi,
I have firewall
sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection
I have a line in pf.conf
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
hifxchn2 to any keep state
to route requests from hosts in hifxchn2 through the rl2 internet
connection but it does not seem to work.
the full pf.conf is below
===
##NETWORK INTERFACES
#
int_if=sk0#HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if=rl1#Dataone Connection - rl2 interface
Connected to the Dataone Router.
ext_if2=rl2
ext_ifgw=122.166.40.1
proxy=122.166.40.36
#Private IP Address Range Specified by RFC 1918.
#
priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table bypass-squid-users persist file /etc/pf-tables/bypass-squid-users
#Websites to which bypassing SQUID is allowed.
#
table bypass-squid-sites persist file /etc/pf-tables/bypass-squid-sites
table lanspl persist file /etc/pf-tables/lanspl
table adm persist file /etc/pf-tables/adms
table vtcservers persist file /etc/pf-tables/vtcservers
table bannedIPs persist file /etc/pf-tables/bannedIPs
table authpf_users persist
table hifxchn2 persist file /etc/pf-tables/hifxchn2
#Traffic Normalization - Required for pppoe connection.
#
scrub on $ext_if all no-df random-id fragment reassemble
###Network Address Translation and Port Redirection
###The First Matching rule wins here for any packet and no further
nat or rdr rules are checked.
nat-anchor authpf/*
rdr-anchor authpf/*
binat-anchor authpf/*
nat pass on $ext_if from adm to any - ($ext_if)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp from $int_if:network to any port 21 -
127.0.0.1 port 8021
# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 -
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 -
172.16.4.12 port 443
###
#
nat on $ext_if from bypass-squid-users to any - ($ext_if)
#NAT connections to specified websites.
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if)
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if2)
#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }
#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if2 from $int_if:network to any - ($ext_if2)
#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#
no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080
###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.
block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep state
#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to bannedIPs
#Allow all traffic on the localhost interface.
pass quick on lo0 all
#Allow Traffic from HIFX LAN to pass through the firewall also allow
traffic from firewall to enter the LAN.
pass in quick on $int_if from any to $int_if keep state
pass out quick on $int_if from $int_if to any keep state
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
hifxchn2 to any keep state
pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state
#Allow Trafficfrom Firewall to pass out to the Internet.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if2 proto { udp, icmp } all keep state
#ftp-proxy
anchor ftp-proxy/*
pass out proto tcp from $proxy to any port 21 keep state
#authpf
anchor authpf/*
