dear lists
I'm new with pf ,
I have problem to make pf redirect rule from net to my
dmz internal server work, along with load balancing
outgoing connection
Maybe the problem , because i have load balancing
outgoing connection rule, that must have no default
gateway.
If I apply default gateway, redirect rule work good,
but no load balancing at all.
this is my rules;
#macros
lan_net = "172.16.0.0/16"
dmz_net = "10.10.10.0/24"
int_if = "xl0"
dmz_if = "rl3"
ext_if1 = "rl0"
ext_if2 = "rl1"
ext_if = "{" $ext_if1 $ext_if2 "}"
gw1 = "202.xxx.254.3"
gw2 = "202.xxx.255.170"
ext_gw1 = "202.xxx.254.1"
ext_gw2 = "202.xxx.255.169"
server_dmz = "10.10.10.2/32"
server_ext = "202.xxx.254.4/32"
priv_nets = "{127.0.0.1/8 10.0.0.0/8 192.168.0.0/16
172.16.0.0/12}"
# scrub incoming packets
scrub in all
# nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to any -> $gw1
nat on $ext_if2 from $lan_net to any -> $gw2
nat on $ext_if1 from $dmz_net to any -> $gw1
nat on $ext_if2 from $dmz_net to any -> $gw2
# smtp access from outside
rdr on $ext_if proto tcp from any to $server_ext port
smtp -> $server_dmz port smtp
# default to deny
block log all
# pass traffic on the loopback interface in either
direction
pass quick on lo0 all
# no RFC1819
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to
$priv_nets
# beastie
pass in on $int_if proto tcp from 172.16.0.228 to any
port 22 keep state
# load balancing rules
pass in on $int_if route-to { ($ext_if1 $ext_gw1),
($ext_if2 $ext_gw2) } round-robin proto tcp from
$lan_net to any flags S/SA modulate statpass in on
$int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
$ext_gw2) } round-robin proto { udp, icmp } from
$lan_net to any keep state
pass in on $dmz_if route-to { ($ext_if1 $ext_gw1),
($ext_if2 $ext_gw2) } round-robin proto tcp from
$dmz_net to any flags S/SA modulate statpass in on
$dmz_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
$ext_gw2) } round-robin proto { udp, icmp } from
$dmz_net to any keep state
# general pass out
pass out on $ext_if1 proto tcp from any to any flags
S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to
any keep state
pass out on $ext_if2 proto tcp from any to any flags
S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to
any keep state
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from
$ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from
$ext_if1 to any
please help me,
regards
reza
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
