[nycbug-talk] pf/freebsd, route-to, reply-to and nat

Max Gribov max at neuropunks.org
Tue Jun 27 23:43:59 EDT 2006


Hello all,
I am trying to figure this out for a couple of days..
I have a fbsd 6.1 router connected to local network, to DSL ISP and a
Cable ISP.

All user traffic goes out via the Cable line, the default route on the
box is the Cable.
There is a windows server behind the firewall, and firewall's DSL IP
address has a port forward for 3389/tcp (rdp) to the windows box.
Im able to pipe users' traffic via the cable, but no matter what i do, i
cannot get the windows server on the internal network to be accessible
from the DSL ip.
I can reach internet, I can see both cable and DSL routers, and if I
change my default gateway to the DSL, then it works fine.


[root at styx /home/max]# uname -a
FreeBSD styx.neuropunks.org 6.1-RELEASE FreeBSD 6.1-RELEASE #1: Mon Jun
12 19:44:57 EDT 2006    
max at styx.neuropunks.org:/usr/src/sys/sparc64/compile/STYX  sparc64

Here are the relevant rule parts
(the order of the rules below is actual order in the pf.conf)

int="hme0"
ext="hme1"
ext_cable="hme5"
gw_dsl="216.254.70.1"
gw_cable="207.38.217.1"
draco="192.168.0.4"

# nat
nat on $ext_cable  from $local_net to any -> ($ext_cable)
nat on $ext from $local_net to any -> ($ext)

# rdr
rdr inet proto tcp from any to $styx_ext/32 port 3389 -> $draco port 3389

# default deny
block log-all all
pass quick on lo0 all

# ensures that we can pass to draco's 192.168.x.x ip address
pass in log on $ext inet proto tcp from any to $draco/32 port 3389 flags
S/SA modulate state queue (prirdp, tcpack)

# pass tcp to DSL public IP to port 3389, reply through DSL interface/IP
pass in quick log on $ext reply-to ($ext $gw_dsl) inet proto tcp from
any to $styx_ext/32 port 3389 flags S/SA modulate state queue (prirdp,
tcpack)

# local interface filtering
pass out on $int from any to $local_net
pass in quick on $int from $local_net to $int

# pass into local interface with source of 192.168.x.x
pass in log on $int route-to ($ext $gw_dsl) proto tcp from $draco/32
port 3389 to any keep state queue (intprirdp, inttcpack)

# global allow all outgoing
pass out on $ext_cable inet proto tcp from any to any flags S/SA
modulate state
pass out on $ext_cable inet proto { udp, icmp } from any to any keep state
pass out on $ext inet proto tcp from any to any flags S/SA modulate state
pass out on $ext inet proto { udp, icmp } from any to any keep state

# keep track of the interfaces/sources
pass out on $ext route-to ($ext_cable $gw_cable) from $ext_cable to any
pass out on $ext_cable route-to ($ext $gw_dsl) from $ext to any
# EOF

Here is tcpdump from watching pflog0 for relevant log statements:
19:27:50.405748 rule 12/0(match): pass in on hme1:
finn.neuropunks.org.64868 > draco.rdp: S 2150035332:2150035332(0) win
65535 <mss 1460,nop,wscale 1,[|tcp]>
        0x0000:  4520 003c d29a 4000 3b06 3c2c 451f 2b0a
        0x0010:  c0a8 0004 fd64 0d3d 8026 ef84 0000 0000
        0x0020:  a002 ffff 5f15 0000 0204 05b4 0103 0301
19:27:50.405910 rule 67/0(match): pass out on hme0:
finn.neuropunks.org.64868 > draco.rdp: S 2150035332:2150035332(0) win
65535 <mss 1460,nop,wscale 1,[|tcp]>
        0x0000:  4520 003c d29a 4000 3a06 3d2c 451f 2b0a
        0x0010:  c0a8 0004 fd64 0d3d 8026 ef84 0000 0000
        0x0020:  a002 ffff 5f15 0000 0204 05b4 0103 0301


The packets are not being filtered, the global block policy logs denies.
I looked at plain interface tcpdump (hme0, hme1) and my router does
address packets to local DSL router MAC address,
and I am able to ssh into the firewall itself, which is handled by this
rule:

pass in quick log on $ext reply-to ($ext $gw_dsl) inet proto tcp from
any to $styx_ext/32 port 22 flags S/SA modulate state (max-src-conn-rate
8/60, overload <spammers> flush global) queue (prissh, tcpack)

so i know i can get packets back over the dsl interface even if the
static route is the cable.
There seems to be some issue with either nat'ing, or i am not using
reply-to/route-to rules, but ive tried everything, and i cant figure it out.

If anyone has any idea, or did something similar, please let me know

Thank you,

Max




More information about the talk mailing list