Re: route-to doesnot work for me - what am i doing wrong
On Tue, Oct 14, 2008 at 3:50 PM, Stuart Henderson [EMAIL PROTECTED] wrote: pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state to route requests from hosts in hifxchn2 through the rl2 internet connection but it does not seem to work. you should route the packets in the outgoing direction. Hi Stuart, I did not get what you said. Could you please give an example ? Thanks Siju
route-to doesnot work for me - what am i doing wrong
Hi, I have firewall sk0 - LAN Interface rl1 - Primary internet connection rl2 - secondary Internet connection I have a line in pf.conf pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state to route requests from hosts in hifxchn2 through the rl2 internet connection but it does not seem to work. the full pf.conf is below === ##NETWORK INTERFACES # int_if=sk0#HiFX LAN Interface - Connected to Main Swithches - using 172.16.0.0/12 Range. ext_if=rl1#Dataone Connection - rl2 interface Connected to the Dataone Router. ext_if2=rl2 ext_ifgw=122.166.40.1 proxy=122.166.40.36 #Private IP Address Range Specified by RFC 1918. # priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } #Computers in HiFX LAN that are permitted to bypass squid to make HTTP and HTTPS connections directly to the Internet # table bypass-squid-users persist file /etc/pf-tables/bypass-squid-users #Websites to which bypassing SQUID is allowed. # table bypass-squid-sites persist file /etc/pf-tables/bypass-squid-sites table lanspl persist file /etc/pf-tables/lanspl table adm persist file /etc/pf-tables/adms table vtcservers persist file /etc/pf-tables/vtcservers table bannedIPs persist file /etc/pf-tables/bannedIPs table authpf_users persist table hifxchn2 persist file /etc/pf-tables/hifxchn2 #Traffic Normalization - Required for pppoe connection. # scrub on $ext_if all no-df random-id fragment reassemble ###Network Address Translation and Port Redirection ###The First Matching rule wins here for any packet and no further nat or rdr rules are checked. nat-anchor authpf/* rdr-anchor authpf/* binat-anchor authpf/* nat pass on $ext_if from adm to any - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp from $int_if:network to any port 21 - 127.0.0.1 port 8021 # redirect to beergas website rdr pass on $ext_if inet proto tcp from any to any port 80 - 172.16.4.12 port 80 rdr pass on $ext_if inet proto tcp from any to any port 443 - 172.16.4.12 port 443 ### # nat on $ext_if from bypass-squid-users to any - ($ext_if) #NAT connections to specified websites. nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if) nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if2) #Block NAT for other hosts to port 80 and 443 on the Internet. #They should all go via SQUID CACHE PROXY # no nat on $ext_if from any to any port { 80, 443 } no nat on $ext_if2 from any to any port { 80, 443 } #Allow NAT for rest of the Computers to Internet - port 80 and 443 is already blocked for these hosts by the rule above. # nat on $ext_if from $int_if:network to any - ($ext_if) nat on $ext_if2 from $int_if:network to any - ($ext_if2) #The SQUID CACHE PROXY Listens on localhost interface port 8080 for security reasons. #PROXY configuration for computers in the HIFX LAN Machine in the IP Address of $int_if and port 8080 #Hence all Traffic comming to $int_if port 8080 should be redirected to SQUID running on localhost:8080 # no rdr on $int_if from any to 70.86.222.30 rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080 ###Filter Rules. ###The last matching rule wins here for packets except when the quick word is used in which case Further rules are not processed. #Starting with a Deny all Traffic Policy. Later rules open up the firewall for required traffic. block all pass in quick on $ext_if inet proto tcp from any to any port ssh keep state #Blocking RFC1918 Traffic. block in log quick on $ext_if from $priv_nets to any block out log quick on $ext_if from any to $priv_nets block out log quick on $ext_if from any to bannedIPs #Allow all traffic on the localhost interface. pass quick on lo0 all #Allow Traffic from HIFX LAN to pass through the firewall also allow traffic from firewall to enter the LAN. pass in quick on $int_if from any to $int_if keep state pass out quick on $int_if from $int_if to any keep state pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state pass in quick on $int_if from $int_if:network to any keep state pass out quick on $int_if from any to $int_if:network keep state #Allow Trafficfrom Firewall to pass out to the Internet. pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if2 proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $ext_if2 proto { udp, icmp } all keep state #ftp-proxy anchor ftp-proxy/* pass out proto tcp from $proxy to any port 21 keep state #authpf anchor authpf/* # ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128
Re: route-to doesnot work for me - what am i doing wrong
On Tue, 14 Oct 2008 14:33:19 +0700, Siju George [EMAIL PROTECTED] wrote: Hi Siju, I think there are several things you need to understand more about pf quick option. If you don't use quick option on rules, then it will be last matching rule applied, but if you you use quick option, the first matching rule will be applied, the rest will be ignored. So, if you use quick option the filter order would be; rule 1 # very detail rule 2 # pretty much detail rule 3 # detail rule 4 # not detail something like; pass in quick on $int_if inet proto tcp from net_example1 to internet pass in quick on $int_if inet from net_example1 to internet pass in quick on $int_if from net_example1 to any pass in quick on $int_if if you don't use quick then it would be; rule 1 # not detail rule 2 # detail rule 3 # pretty much detail rule 4 # very detail something like; pass in on $int_if pass in on $int_if from net_example1 to any pass in on $int_if from net_example1 to internet pass in on $int_if inet from net_example1 to internet pass in on $int_if inet proto tcp from net_example to internet HTH, Insan Hi, I have firewall sk0 - LAN Interface rl1 - Primary internet connection rl2 - secondary Internet connection I have a line in pf.conf pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state to route requests from hosts in hifxchn2 through the rl2 internet connection but it does not seem to work. the full pf.conf is below === ##NETWORK INTERFACES # int_if=sk0#HiFX LAN Interface - Connected to Main Swithches - using 172.16.0.0/12 Range. ext_if=rl1#Dataone Connection - rl2 interface Connected to the Dataone Router. ext_if2=rl2 ext_ifgw=122.166.40.1 proxy=122.166.40.36 #Private IP Address Range Specified by RFC 1918. # priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } #Computers in HiFX LAN that are permitted to bypass squid to make HTTP and HTTPS connections directly to the Internet # table bypass-squid-users persist file /etc/pf-tables/bypass-squid-users #Websites to which bypassing SQUID is allowed. # table bypass-squid-sites persist file /etc/pf-tables/bypass-squid-sites table lanspl persist file /etc/pf-tables/lanspl table adm persist file /etc/pf-tables/adms table vtcservers persist file /etc/pf-tables/vtcservers table bannedIPs persist file /etc/pf-tables/bannedIPs table authpf_users persist table hifxchn2 persist file /etc/pf-tables/hifxchn2 #Traffic Normalization - Required for pppoe connection. # scrub on $ext_if all no-df random-id fragment reassemble ###Network Address Translation and Port Redirection ###The First Matching rule wins here for any packet and no further nat or rdr rules are checked. nat-anchor authpf/* rdr-anchor authpf/* binat-anchor authpf/* nat pass on $ext_if from adm to any - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp from $int_if:network to any port 21 - 127.0.0.1 port 8021 # redirect to beergas website rdr pass on $ext_if inet proto tcp from any to any port 80 - 172.16.4.12 port 80 rdr pass on $ext_if inet proto tcp from any to any port 443 - 172.16.4.12 port 443 ### # nat on $ext_if from bypass-squid-users to any - ($ext_if) #NAT connections to specified websites. nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if) nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if2) #Block NAT for other hosts to port 80 and 443 on the Internet. #They should all go via SQUID CACHE PROXY # no nat on $ext_if from any to any port { 80, 443 } no nat on $ext_if2 from any to any port { 80, 443 } #Allow NAT for rest of the Computers to Internet - port 80 and 443 is already blocked for these hosts by the rule above. # nat on $ext_if from $int_if:network to any - ($ext_if) nat on $ext_if2 from $int_if:network to any - ($ext_if2) #The SQUID CACHE PROXY Listens on localhost interface port 8080 for security reasons. #PROXY configuration for computers in the HIFX LAN Machine in the IP Address of $int_if and port 8080 #Hence all Traffic comming to $int_if port 8080 should be redirected to SQUID running on localhost:8080 # no rdr on $int_if from any to 70.86.222.30 rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080 ###Filter Rules. ###The last matching rule wins here for packets except when the quick word is used in which case Further rules are not processed. #Starting with a Deny all Traffic Policy. Later rules open up the firewall for required traffic. block all pass in quick on $ext_if inet proto tcp from any to any port ssh keep state #Blocking RFC1918 Traffic. block in log quick on $ext_if from $priv_nets to any block out log quick on $ext_if from any to $priv_nets block out log quick on $ext_if from any to bannedIPs #Allow all traffic on the localhost interface. pass quick on lo0 all
Re: route-to doesnot work for me - what am i doing wrong
If you don't use quick option on rules, then it will be last matching rule applied, but if you you use quick option, the first matching rule will be applied, the rest will be ignored. So, if you use quick option the filter order would be; picking just the in...on $int_if rules in order; pass in quick on $int_if from any to $int_if keep state pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state pass in quick on $int_if from $int_if:network to any keep state so this is not a problem. pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state to route requests from hosts in hifxchn2 through the rl2 internet connection but it does not seem to work. you should route the packets in the outgoing direction.
Re: route-to doesnot work for me - what am i doing wrong
Hi Siju, isn't this: pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state meant to be like this: pass in quick on $int_if route-to { ( $ext_if2 $ext_ifgw ) } from hifxchn2 to any keep state Regards, Charlie Siju George wrote: Hi, I have firewall sk0 - LAN Interface rl1 - Primary internet connection rl2 - secondary Internet connection I have a line in pf.conf to route requests from hosts in hifxchn2 through the rl2 internet connection but it does not seem to work. the full pf.conf is below === ##NETWORK INTERFACES # int_if=sk0#HiFX LAN Interface - Connected to Main Swithches - using 172.16.0.0/12 Range. ext_if=rl1#Dataone Connection - rl2 interface Connected to the Dataone Router. ext_if2=rl2 ext_ifgw=122.166.40.1 proxy=122.166.40.36 #Private IP Address Range Specified by RFC 1918. # priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } #Computers in HiFX LAN that are permitted to bypass squid to make HTTP and HTTPS connections directly to the Internet # table bypass-squid-users persist file /etc/pf-tables/bypass-squid-users #Websites to which bypassing SQUID is allowed. # table bypass-squid-sites persist file /etc/pf-tables/bypass-squid-sites table lanspl persist file /etc/pf-tables/lanspl table adm persist file /etc/pf-tables/adms table vtcservers persist file /etc/pf-tables/vtcservers table bannedIPs persist file /etc/pf-tables/bannedIPs table authpf_users persist table hifxchn2 persist file /etc/pf-tables/hifxchn2 #Traffic Normalization - Required for pppoe connection. # scrub on $ext_if all no-df random-id fragment reassemble ###Network Address Translation and Port Redirection ###The First Matching rule wins here for any packet and no further nat or rdr rules are checked. nat-anchor authpf/* rdr-anchor authpf/* binat-anchor authpf/* nat pass on $ext_if from adm to any - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp from $int_if:network to any port 21 - 127.0.0.1 port 8021 # redirect to beergas website rdr pass on $ext_if inet proto tcp from any to any port 80 - 172.16.4.12 port 80 rdr pass on $ext_if inet proto tcp from any to any port 443 - 172.16.4.12 port 443 ### # nat on $ext_if from bypass-squid-users to any - ($ext_if) #NAT connections to specified websites. nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if) nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if2) #Block NAT for other hosts to port 80 and 443 on the Internet. #They should all go via SQUID CACHE PROXY # no nat on $ext_if from any to any port { 80, 443 } no nat on $ext_if2 from any to any port { 80, 443 } #Allow NAT for rest of the Computers to Internet - port 80 and 443 is already blocked for these hosts by the rule above. # nat on $ext_if from $int_if:network to any - ($ext_if) nat on $ext_if2 from $int_if:network to any - ($ext_if2) #The SQUID CACHE PROXY Listens on localhost interface port 8080 for security reasons. #PROXY configuration for computers in the HIFX LAN Machine in the IP Address of $int_if and port 8080 #Hence all Traffic comming to $int_if port 8080 should be redirected to SQUID running on localhost:8080 # no rdr on $int_if from any to 70.86.222.30 rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080 ###Filter Rules. ###The last matching rule wins here for packets except when the quick word is used in which case Further rules are not processed. #Starting with a Deny all Traffic Policy. Later rules open up the firewall for required traffic. block all pass in quick on $ext_if inet proto tcp from any to any port ssh keep state #Blocking RFC1918 Traffic. block in log quick on $ext_if from $priv_nets to any block out log quick on $ext_if from any to $priv_nets block out log quick on $ext_if from any to bannedIPs #Allow all traffic on the localhost interface. pass quick on lo0 all #Allow Traffic from HIFX LAN to pass through the firewall also allow traffic from firewall to enter the LAN. pass in quick on $int_if from any to $int_if keep state pass out quick on $int_if from $int_if to any keep state pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state pass in quick on $int_if from $int_if:network to any keep state pass out quick on $int_if from any to $int_if:network keep state #Allow Trafficfrom Firewall to pass out to the Internet. pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if2 proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $ext_if2 proto { udp, icmp } all keep state #ftp-proxy anchor ftp-proxy/* pass out proto tcp from $proxy to any port 21 keep state #authpf anchor authpf/*
Re: route-to doesnot work for me - what am i doing wrong
Thanks I figured it out. I missed the nat rule for $ext_if2 --Siju On Tue, Oct 14, 2008 at 1:03 PM, Siju George [EMAIL PROTECTED] wrote: Hi, I have firewall sk0 - LAN Interface rl1 - Primary internet connection rl2 - secondary Internet connection I have a line in pf.conf pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state to route requests from hosts in hifxchn2 through the rl2 internet connection but it does not seem to work. the full pf.conf is below === ##NETWORK INTERFACES # int_if=sk0#HiFX LAN Interface - Connected to Main Swithches - using 172.16.0.0/12 Range. ext_if=rl1#Dataone Connection - rl2 interface Connected to the Dataone Router. ext_if2=rl2 ext_ifgw=122.166.40.1 proxy=122.166.40.36 #Private IP Address Range Specified by RFC 1918. # priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } #Computers in HiFX LAN that are permitted to bypass squid to make HTTP and HTTPS connections directly to the Internet # table bypass-squid-users persist file /etc/pf-tables/bypass-squid-users #Websites to which bypassing SQUID is allowed. # table bypass-squid-sites persist file /etc/pf-tables/bypass-squid-sites table lanspl persist file /etc/pf-tables/lanspl table adm persist file /etc/pf-tables/adms table vtcservers persist file /etc/pf-tables/vtcservers table bannedIPs persist file /etc/pf-tables/bannedIPs table authpf_users persist table hifxchn2 persist file /etc/pf-tables/hifxchn2 #Traffic Normalization - Required for pppoe connection. # scrub on $ext_if all no-df random-id fragment reassemble ###Network Address Translation and Port Redirection ###The First Matching rule wins here for any packet and no further nat or rdr rules are checked. nat-anchor authpf/* rdr-anchor authpf/* binat-anchor authpf/* nat pass on $ext_if from adm to any - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp from $int_if:network to any port 21 - 127.0.0.1 port 8021 # redirect to beergas website rdr pass on $ext_if inet proto tcp from any to any port 80 - 172.16.4.12 port 80 rdr pass on $ext_if inet proto tcp from any to any port 443 - 172.16.4.12 port 443 ### # nat on $ext_if from bypass-squid-users to any - ($ext_if) #NAT connections to specified websites. nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if) nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if2) #Block NAT for other hosts to port 80 and 443 on the Internet. #They should all go via SQUID CACHE PROXY # no nat on $ext_if from any to any port { 80, 443 } no nat on $ext_if2 from any to any port { 80, 443 } #Allow NAT for rest of the Computers to Internet - port 80 and 443 is already blocked for these hosts by the rule above. # nat on $ext_if from $int_if:network to any - ($ext_if) nat on $ext_if2 from $int_if:network to any - ($ext_if2) #The SQUID CACHE PROXY Listens on localhost interface port 8080 for security reasons. #PROXY configuration for computers in the HIFX LAN Machine in the IP Address of $int_if and port 8080 #Hence all Traffic comming to $int_if port 8080 should be redirected to SQUID running on localhost:8080 # no rdr on $int_if from any to 70.86.222.30 rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080 ###Filter Rules. ###The last matching rule wins here for packets except when the quick word is used in which case Further rules are not processed. #Starting with a Deny all Traffic Policy. Later rules open up the firewall for required traffic. block all pass in quick on $ext_if inet proto tcp from any to any port ssh keep state #Blocking RFC1918 Traffic. block in log quick on $ext_if from $priv_nets to any block out log quick on $ext_if from any to $priv_nets block out log quick on $ext_if from any to bannedIPs #Allow all traffic on the localhost interface. pass quick on lo0 all #Allow Traffic from HIFX LAN to pass through the firewall also allow traffic from firewall to enter the LAN. pass in quick on $int_if from any to $int_if keep state pass out quick on $int_if from $int_if to any keep state pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state pass in quick on $int_if from $int_if:network to any keep state pass out quick on $int_if from any to $int_if:network keep state #Allow Trafficfrom Firewall to pass out to the Internet. pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if2 proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $ext_if2 proto { udp, icmp } all keep state #ftp-proxy anchor ftp-proxy/* pass out proto tcp from $proxy to any port 21 keep state #authpf anchor authpf/*