Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

freebsd-pf Digest, Vol 172, Issue 4

0 views

Skip to first unread message

freebsd-p...@freebsd.org

unread,

Jan 11, 2008, 7:00:21 AM1/11/08

to freeb...@freebsd.org

Send freebsd-pf mailing list submissions to
freeb...@freebsd.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
or, via email, send a message with subject or body 'help' to
freebsd-p...@freebsd.org

You can reach the person managing the list at
freebsd-...@freebsd.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-pf digest..."

Today's Topics:

1. Re: Forwarding another host (Rodrique Heron)
2. Re: Forwarding another host (David DeSimone)
3. Re: Forwarding another host (Rodrique Heron)
4. Re: Forwarding another host (Max Laier)
5. Re: carpdev ... (Max Laier)
6. Re: Forwarding another host (David DeSimone)
7. Re: Forwarding another host (Michal Varga)
8. Re: carpdev ... (Alexandre Biancalana)
9. Re: carpdev ... (Kian Mohageri)
10. Re: carpdev ... (Alexandre Biancalana)

----------------------------------------------------------------------

Message: 1
Date: Thu, 10 Jan 2008 07:59:17 -0500
From: "Rodrique Heron" <swy...@rodhouse.org>
Subject: Re: Forwarding another host
To: freeb...@freebsd.org
Message-ID:
<1a5f1a2d0801100459s24...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 1/9/08, David DeSimone <f...@verio.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rodrique Heron <swy...@gmail.com> wrote:
> >
> > I'm running FreeBSD 6.2 and I want to know if forwarding to a external
> > host is supported by PF. I want to forward all incoming traffic to
> > port 22 to another host, but it does not work, forwarding to a Jail
> > works though. Here are my configs:
>
> This is a classic NAT problem. Picture what happens each step of the
> way:
>
> Your firewall = A.B.C.D
>
> External Host = E.F.G.H
>
> External Client = W.X.Y.Z
>
> Packet (src = W.X.Y.Z dst = A.B.C.D) goes to the firewall.
>
> Firewall applies NAT, so packet is now (src = W.X.Y.Z, dst =
> E.F.G.H). Firewall routes the packet back out to the external
> network that it came from.
>
> External host receives packet (src = W.X.Y.Z, dst = E.F.G.H).
>
> External host sends back a reply packet (src = E.F.G.H, dst =
> W.X.Y.Z). This reply goes straight back over the internet; it
> does not ever come back to your firewall, but goes directly back
> to the client. Firewall does not see reply, so there is no
> chance to apply reverse NAT.
>
> Client receives packet (src = E.F.G.H, dst = W.X.Y.Z). The packet
> is unrecognized, however, because the packet that the client
> originally sent was for (src = W.X.Y.Z dst = A.B.C.D). Client
> sends a RST. Connection fails.
>
> The way I have solved this problem in other environments is with "double
> NAT" where the firewall translates both the Source and Destination IP
> for internally-receive traffic. The firewall applies the correct
> destination NAT, but also applies NAT to the source IP, giving its own
> IP. This causes the external server to reply back to the firewall so
> that the traffic can be de-NAT'd correctly.
>
> However, I am unaware of the ability to perform Double NAT using FreeBSD
> tools. There is no reason the kernel could not do it; it is just a
> missing feature in the toolset.
>
> Offhand I am not sure why you would want to forward traffic from your
> host over to some external host. If you really must do this, the only
> way that comes to mind would be using a proxy of some sort, opening a
> secondary connection to the external host on behalf of the client.

I have a immediate need to relocate my Web server from the DMZ to inside the
network. The problem is, my content contributors login to the server via SSH
and the IP address of the Web server will change after the move. I am
placing a Apache reverse proxy in place of the Web server and the proxy will
use the Web server's IP address. To make this a seamless move, I wanted to
forward all incoming SSH traffic to the proxy, to the Web server's new IP.

If this can't be done with PF, what other method is available ?

Thanks

- --
> David DeSimone == Network Admin == f...@verio.net
> "This email message is intended for the use of the person to whom
> it has been sent, and may contain information that is confidential
> or legally protected. If you are not the intended recipient or have
> received this message in error, you are not authorized to copy, dis-
> tribute, or otherwise use this message or its attachments. Please
> notify the sender immediately by return e-mail and permanently delete
> this message and any attachments. Verio, Inc. makes no warranty that
> this email is error or virus free. Thank you." --Lawyer Bot 6000
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFHhWLIFSrKRjX5eCoRAu2dAJ48q+buSKrw7W3tlS1OMrgbHa/rlQCfaRtt
> 9FQyd2Mn9fwdQMD3f7LfRI8=
> =oxGv
> -----END PGP SIGNATURE-----
> _______________________________________________
> freeb...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-...@freebsd.org"
>

------------------------------

Message: 2
Date: Thu, 10 Jan 2008 11:53:17 -0600
From: David DeSimone <f...@verio.net>
Subject: Re: Forwarding another host
To: freeb...@freebsd.org
Message-ID: <20080110175...@verio.net>
Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rodrique Heron <swy...@rodhouse.org> wrote:
>
> I have a immediate need to relocate my Web server from the DMZ to
> inside the network.

When you originally described this problem you stated that you wanted to
forward incoming traffic to an "external host". To me, that means a
host not located anywhere on your internal network. The discussion I
gave related to that scenario. Now it appears you are describing a
problem that is completely different (and that PF should be able to
handle without any trouble).

Perhaps you should more accurately diagram the current network layout
and your desired layout so that we can tell you whether it will work.

- --
David DeSimone == Network Admin == f...@verio.net
"This email message is intended for the use of the person to whom
it has been sent, and may contain information that is confidential
or legally protected. If you are not the intended recipient or have
received this message in error, you are not authorized to copy, dis-
tribute, or otherwise use this message or its attachments. Please
notify the sender immediately by return e-mail and permanently delete
this message and any attachments. Verio, Inc. makes no warranty that
this email is error or virus free. Thank you." --Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFHhluNFSrKRjX5eCoRAoSrAKCKEjO0wcxfkP37klqDdfyDBClbXQCfc92H
+6PCZR+LZkWeaNQM6qrZ8rI=
=ShYC
-----END PGP SIGNATURE-----

------------------------------

Message: 3
Date: Thu, 10 Jan 2008 21:37:49 -0500
From: "Rodrique Heron" <swy...@rodhouse.org>
Subject: Re: Forwarding another host
To: "Michal Varga" <varga....@gmail.com>
Cc: freeb...@freebsd.org
Message-ID:
<1a5f1a2d0801101837r338...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 1/10/08, Michal Varga <varga....@gmail.com> wrote:
>
>
> On Thu, 2008-01-10 at 12:10 -0500, Rodrique Heron wrote:
>
>
> > Thanks
> >
> > FreeBSD syntax for log all is "log-all", I have no block rules. I am
> > passing everything with.
> >
> > pass in quick all
> > pass out qick all
> >
> ah, I think this may be another problem. Syntax for log (all) really
> *was* log-all, in PF 3.7, that is approximately the version used in
> FreeBSD 6.x. I somehow forgot about this from your first mail. As
> FreeBSD 7 incporporates PF 3.9, things behave a little differently here
> and there. anyway, can you show me the exact PF config you are using
> now, one that you think should work and doesn't?
> >
> >
> >

Sorry for the duplicate, I forgot to CC the list.

Both host are in the same broadcast domain,connected to the same switch.

### /etc/pf.conf
ext_if = "em0"
int_if = "lo0"

host_ip = " 192.168.2.14"
jail_ip = "192.168.2.18"
external_host = "192.168.2.27"

rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host port
22
rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port 22

pass in quick all
pass out quick all

------------------------------

Message: 4
Date: Fri, 11 Jan 2008 04:07:36 +0100
From: Max Laier <m...@love2party.net>
Subject: Re: Forwarding another host
To: freeb...@freebsd.org
Message-ID: <20080111040...@love2party.net>
Content-Type: text/plain; charset="iso-8859-1"

On Friday 11 January 2008, Rodrique Heron wrote:
> On 1/10/08, Michal Varga <varga....@gmail.com> wrote:
> > On Thu, 2008-01-10 at 12:10 -0500, Rodrique Heron wrote:
> > > Thanks
> > >
> > > FreeBSD syntax for log all is "log-all", I have no block rules. I
> > > am passing everything with.
> > >
> > > pass in quick all
> > > pass out qick all
> >
> > ah, I think this may be another problem. Syntax for log (all) really
> > *was* log-all, in PF 3.7, that is approximately the version used in
> > FreeBSD 6.x. I somehow forgot about this from your first mail. As
> > FreeBSD 7 incporporates PF 3.9, things behave a little differently
> > here and there. anyway, can you show me the exact PF config you are
> > using now, one that you think should work and doesn't?
>
> Sorry for the duplicate, I forgot to CC the list.
>
> Both host are in the same broadcast domain,connected to the same
> switch.

Sounds like you are looking for some kind of reflection rather than just
redirection. If resources on the pf box are plenty and you don't mind
running network daemons on it, something like net/rinetd might do the
trick.

> INTERNET
>
>
> PIX Firewall
>
>
> SWITCH*---*HOSTA 192.168.2.14
> *
>
>
> *
> HOSTB 192.168.2.27
>
>
> ### /etc/pf.conf
> ext_if = "em0"
> int_if = "lo0"
>
> host_ip = " 192.168.2.14"
> jail_ip = "192.168.2.18"
> external_host = "192.168.2.27"
>
> rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host
> port 22
> rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port
> 22
>
> pass in quick all
> pass out quick all
> _______________________________________________
> freeb...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-...@freebsd.org"

--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080111/25573339/attachment-0001.pgp

------------------------------

Message: 5
Date: Fri, 11 Jan 2008 04:08:21 +0100
From: Max Laier <m...@love2party.net>
Subject: Re: carpdev ...
To: "Alexandre Biancalana" <bianc...@gmail.com>
Cc: freeb...@freebsd.org
Message-ID: <20080111040...@love2party.net>
Content-Type: text/plain; charset="iso-8859-1"

On Wednesday 09 January 2008, Alexandre Biancalana wrote:
> On 12/9/07, Max Laier <m...@love2party.net> wrote:
> > Please report in case of failure *and* success! Thanks.
>
> Hi Max !
>
> Yesterday put one firewall running pf with this patch and everything
> worked perfect ! (until now). I just tested the running config with
> carp (real network interface without ip address and using ifconfig
> carpdev option to associate carp interface with real network
> interface) if nothing bad happened until tomorrow, I will put another
> machine to test all carp faillover features and let you know.
>
> Thank you Max for your great work !!

That's good to hear, keep us up to date!

------------------------------

Message: 6
Date: Thu, 10 Jan 2008 21:08:26 -0600
From: David DeSimone <f...@verio.net>
Subject: Re: Forwarding another host
To: freeb...@freebsd.org
Message-ID: <20080111030...@verio.net>
Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rodrique Heron <swy...@rodhouse.org> wrote:
>
> INTERNET
> |
> PIX Firewall
> |
> SWITCH*---*HOSTA 192.168.2.14
> *
> |
> *
> HOSTB 192.168.2.27
>
> ### /etc/pf.conf
> ext_if = "em0"
> int_if = "lo0"
>
> host_ip = " 192.168.2.14"
> jail_ip = "192.168.2.18"
> external_host = "192.168.2.27"
>
> rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host port 22
> rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port 22
>
> pass in quick all
> pass out quick all

NAT is always a two-way street. PF must not only translate packets sent
to another host, it must also receive and translate the REPLY packets
from that host.

In the scenario you paint above, HOSTB will receive packets from HOSTA,
but when generating a reply, the reply will beypass HOSTA and go
directly back to the PIX firewall.

It works in a jail because the jail is "inside" HOSTA and so all reply
traffic from the jail gets seen by HOSTA before going to the network.

Seems to me it would be easier to get the PIX firewall to send traffic
to HOSTB instead of HOSTA. If that device is outside your control,
probably the easiest thing for you to do is set up a generic proxy, like
"redir" or similar, to copy traffic over secondary connection to HOSTB.

iD8DBQFHht2qFSrKRjX5eCoRAiclAJ4o6K2FlPi2E0JzV6j8oMlAMa9ApACeNIOi
MvV4FUbvBEejzzCLhzEPpf8=
=L3iu
-----END PGP SIGNATURE-----

------------------------------

Message: 7
Date: Fri, 11 Jan 2008 04:17:16 +0100
From: Michal Varga <varga....@gmail.com>
Subject: Re: Forwarding another host
To: Rodrique Heron <swy...@rodhouse.org>
Cc: freeb...@freebsd.org
Message-ID: <1200021436.36543.40.camel@xenon>
Content-Type: text/plain

On Thu, 2008-01-10 at 21:37 -0500, Rodrique Heron wrote:
>

> Sorry for the duplicate, I forgot to CC the list.
>
> Both host are in the same broadcast domain,connected to the same
> switch.
>
> INTERNET
> |
> |
> PIX Firewall
> |
> |
> SWITCH*---*HOSTA 192.168.2.14
> *
> |
> |
> *
> HOSTB 192.168.2.27
>
>
> ### /etc/pf.conf
> ext_if = "em0"
> int_if = "lo0"
>
> host_ip = "192.168.2.14"
> jail_ip = "192.168.2.18"
> external_host = "192.168.2.27"
>
> rdr on $ext_if proto tcp from any to $host_ip port 22 ->
> $external_host port 22
> rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port
> 22
>
> pass in quick all
> pass out quick all
>
Ok, so if I understand this correctly, you are trying to redirect
incoming connections from the internet through HOSTA to HOSTB. The
problem I see is that you don't translate your packets on the way back,
so something like this happens (we will call the INTERNET/PIX as
HOST-X):

1. HOST-X sends ssh request to HOST-A

2. HOST-A redirects the request to HOST-B

3. HOST-B sees that there is a request to ssh from HOST-X (remember, the
packet was redirected, not translated to look as if it originated from
HOST-A)

4. So HOST-B opens the ssh connection and sends a reply to HOST-X - I'm
ready.

5. HOST-X now sees that HOST-B is replying with "here is your ssh", but
HOST-X contacted HOST-A in the first place, no HOST-B, so it discards
this connection, he doesn't know why some HOST-B is sending him
anything.

It's 4.15 AM here so I hope I didn't get the scenario wrong, but if this
is the case, I think your problem is obvious..

>
--
Michal Varga <varga....@gmail.com>
Stonehenge

------------------------------

Message: 8
Date: Fri, 11 Jan 2008 02:18:19 -0200
From: "Alexandre Biancalana" <bianc...@gmail.com>
Subject: Re: carpdev ...
To: "Max Laier" <m...@love2party.net>
Cc: freeb...@freebsd.org
Message-ID:
<8e10486b0801102018h4f4...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 1/11/08, Max Laier <m...@love2party.net> wrote:
>
> That's good to hear, keep us up to date!

The neverending history finish here !! haahahah

Everything work as expected, carp with failover is awesome !! The only
thing that i noted is that the active conections is being broken
during failover (master -> slave transition).

ie: a download running during master reboot/failure is interrupted.

But this is my first carp setup, so I will review all configuration
and read more about.

Thanks a lot for your work Max !

Best Regards,
Alexandre

------------------------------

Message: 9
Date: Fri, 11 Jan 2008 01:32:18 -0800
From: "Kian Mohageri" <kian.m...@gmail.com>
Subject: Re: carpdev ...
To: "Alexandre Biancalana" <bianc...@gmail.com>
Cc: freeb...@freebsd.org
Message-ID:
<fee88ee40801110132n77b...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

On Jan 10, 2008 8:18 PM, Alexandre Biancalana <bianc...@gmail.com> wrote:
> On 1/11/08, Max Laier <m...@love2party.net> wrote:
> >
> > That's good to hear, keep us up to date!
>
> The neverending history finish here !! haahahah
>
> Everything work as expected, carp with failover is awesome !! The only
> thing that i noted is that the active conections is being broken
> during failover (master -> slave transition).
>
> ie: a download running during master reboot/failure is interrupted.
>
> But this is my first carp setup, so I will review all configuration
> and read more about.
>

Are you using pfsync?

-Kian

------------------------------

Message: 10
Date: Fri, 11 Jan 2008 08:52:30 -0200
From: "Alexandre Biancalana" <bianc...@gmail.com>
Subject: Re: carpdev ...
To: "Kian Mohageri" <kian.m...@gmail.com>
Cc: freeb...@freebsd.org
Message-ID:
<8e10486b0801110252w45...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 1/11/08, Kian Mohageri <kian.m...@gmail.com> wrote:
> On Jan 10, 2008 8:18 PM, Alexandre Biancalana <bianc...@gmail.com> wrote:
> > On 1/11/08, Max Laier <m...@love2party.net> wrote:
> > >
> > > That's good to hear, keep us up to date!
> >
> > The neverending history finish here !! haahahah
> >
> > Everything work as expected, carp with failover is awesome !! The only
> > thing that i noted is that the active conections is being broken
> > during failover (master -> slave transition).
> >
> > ie: a download running during master reboot/failure is interrupted.
> >
> > But this is my first carp setup, so I will review all configuration
> > and read more about.
> >
>
> Are you using pfsync?

Yes, I have one interface on each machine dedicated to pfsync.

------------------------------

End of freebsd-pf Digest, Vol 172, Issue 4
******************************************

0 new messages