Thanks Stuart really appriciate your help
now the config file i have written keeps giving syntax
error on the following line can you help me sort this
as well , i cant seem to find anything wrong with this
..
pass in on $int_if proto tcp route-to { ($ext_if1
$ext_gw1) } from \
$lan_net port {$ports} flags S/SA keep state
Here is my new pf.conf
thanks again ..
lan_net = "10.0.0.0/16"
int_if = "epic0"
ext_if1 = "pcn0"
ext_if2 = "fxp0"
ext_gw1 = "192.168.0.1"
ext_gw2 = "203.81.235.1"
chadd = "10.0.0.1"
ports = "21 22 25 53 80 110 119 123 143 443 465 554
900 995 1755 1863 1999 2090 2091 2095 3000 3020 2020
3389 5000 5001 5050 5100 5190 6667
11999 14360"
table <allowedclients> persist file
"/etc/allowedclients"
# nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to <allowedclients> ->
($ext_if1)
nat on $ext_if2 from $lan_net to <allowedclients> ->
($ext_if2)
rdr on $int_if proto tcp from <allowedclients> to any
port 80 -> $chadd port 8080
# pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net
# pass in quick any packets destined for the gateway
itself
pass in quick on $int_if from $lan_net to $int_if
pass in on $int_if inet tcp route-to { ($ext_if1
$ext_gw1) } from \
$lan_net to any port {$ports} keep state
pass in on $int_if route-to { ($ext_if2 $ext_gw2) }
from \
$lan_net flags S/SA keep state
# general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags
S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to
any keep state
pass out on $ext_if2 proto tcp from any to any flags
S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to
any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1
and the same for
# $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from
$ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from
$ext_if1 to any
--- Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2007/01/05 23:56, S t i n g r a y wrote:
> > Well few days ago i mailed a problem of mine which
> was
> > that i have purchased multiple internet
> connections &
> > now would like to divide spcific protocoles
> between
> > them , now i tried searching the internet for
> this,
> > but couldent find anything encouraging .. most of
> the
> > people out there are confused as me, now i want to
> > know is this possible or not with openbsd & pf ?
>
> In the ruleset you posted, you have nothing to tell
> PF which
> connection to use to send packets, so the default
> route is used.
>
> See
> http://www.openbsd.org/faq/pf/pools.html#outgoing
> for a
> basic setup to use two internet connections and
> balance traffic
> between them. The 'pass in on $int_if route-to'
> rules in the
> examples there use round-robin like this:
>
> route-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin
>
> this shares traffic between two connections.
>
> Since you just want a set of protocols using one
> connection without
> balancing, you'll need two pass rules, first the
> general case without
> listing ports, then the rule for the particular
> protocols that you
> want using the other connection.
>
> pass in on $int_if route-to { ($ext_if2 $ext_gw2)
> } from \
> $lan to any port { $ports } flags S/SA keep
> state
>
> pass in on $int_if route-to { ($ext_if1 $ext_gw1)
> } from \
> $lan flags S/SA keep state
>
> > is there anyone out there who like sharing his
> pf.conf
> > with me ? i would be much greatful.
>
> You should have enough information to write this
> yourself now.
> That's much better than using somebody else's
> ruleset so you can
> understand how it works.
>
> If you're still confused, read pf.conf(5) about
> route-to and
> reply-to and experiment.
>
> If you use 'log' on all of your rules, then you can
> check which
> rules are matching with 'tcpdump -nettipflog0' (use
> pfctl -sr -vv
> to identify rule numbers).
>
> If you use 'tcpdump -nifxp0' and 'tcpdump -nipcn0'
> you can check
> which packets are being sent via which interface and
> whether they
> have been NATted to the correct address for that
> connection.
>
>
*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
