Hey guys,
What will I change in pf.conf if I'm not going to use NAT anymore? It's
because, the current setup of the servers including the firewall uses
publicly routable addresses and there is no NAT. I still wanted to have
failover that maintains existing states/connections even if one firewall
goes down or cables get disconnected.
Here is my pf.conf in my test setup. Let's just assume that the ip addresses
and subnets below are routable.
Thanks,
Neil
---pf.conf----
ext_if="fxp1"
int_if="xl0"
pfsync_if="fxp0"
carp_interfaces="{ carp0, carp1 }"
carp_ext="carp1"
carp_int="carp0"
all_if="{ fxp1, xl0, fxp0 carp0 carp1 }"
#-------------------------------------------------
# Options
#-------------------------------------------------
set skip on { lo $int_if }
set block-policy drop
scrub in
scrub out all random-id
nat on $ext_if from $carp_int:network to any -> ($carp_ext)
rdr on $ext_if proto tcp from any to 192.168.1.100 port 1433 -> 172.16.0.9
port 1433
#-------
# Set default policy
#------
block log all
#------------------------------------------------
# Anti-spoof rules
#------------------------------------------------
pass quick on lo0 all
#antispoof for $all_if inet
pass out on { $ext_if $int_if } modulate state
#-----------
# Allow CARP/PFSYNC traffic
#------------
pass quick on { $ext_if $int_if } proto carp keep state
pass quick on $pfsync_if proto pfsync
# Allow ping of the firewall (including VIPs), easier to debug
pass in quick inet proto icmp from any to self icmp-type echoreq keep state
# Allow ping of the CARP interface
pass in quick inet proto icmp from any to $carp_interfaces icmp- type
echoreq keep state
# Allow anything on the pfsync_if/private network (for now)
pass quick on $pfsync_if
pass in on $carp_int from $carp_int:network modulate state
pass in on $ext_if inet proto tcp from any to 172.16.0.9 port { 22, 25, 80,
1433 } keep state
