dear lists;
i skip default to deny rule (block log all)m but still
no luck,
for load balancing outgoing connection should i apply
default gateway to internet ?
please enlight me..
regards
reza
--- Reza Muhammad <[EMAIL PROTECTED]> wrote:
> dear lists
>
> I'm new with pf ,
> I have problem to make pf redirect rule from net to
> my
> dmz internal server work, along with load balancing
> outgoing connection
> Maybe the problem , because i have load balancing
> outgoing connection rule, that must have no default
> gateway.
> If I apply default gateway, redirect rule work good,
> but no load balancing at all.
> this is my rules;
>
> #macros
> lan_net = "172.16.0.0/16"
> dmz_net = "10.10.10.0/24"
> int_if = "xl0"
> dmz_if = "rl3"
> ext_if1 = "rl0"
> ext_if2 = "rl1"
> ext_if = "{" $ext_if1 $ext_if2 "}"
> gw1 = "202.xxx.254.3"
> gw2 = "202.xxx.255.170"
> ext_gw1 = "202.xxx.254.1"
> ext_gw2 = "202.xxx.255.169"
> server_dmz = "10.10.10.2/32"
> server_ext = "202.xxx.254.4/32"
> priv_nets = "{127.0.0.1/8 10.0.0.0/8 192.168.0.0/16
> 172.16.0.0/12}"
>
>
>
>
>
> # scrub incoming packets
> scrub in all
>
>
>
>
>
> # nat outgoing connections on each internet
> interface
> nat on $ext_if1 from $lan_net to any -> $gw1
> nat on $ext_if2 from $lan_net to any -> $gw2
> nat on $ext_if1 from $dmz_net to any -> $gw1
> nat on $ext_if2 from $dmz_net to any -> $gw2
>
>
>
>
>
>
>
>
>
>
> # smtp access from outside
> rdr on $ext_if proto tcp from any to $server_ext
> port
> smtp -> $server_dmz port smtp
>
> # default to deny
> block log all
>
>
>
>
>
>
>
>
>
>
> # pass traffic on the loopback interface in either
> direction
> pass quick on lo0 all
>
>
>
>
>
> # no RFC1819
> block drop in quick on $ext_if from $priv_nets to
> any
> block drop out quick on $ext_if from any to
> $priv_nets
>
>
>
>
>
> # beastie
> pass in on $int_if proto tcp from 172.16.0.228 to
> any
> port 22 keep state
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> # load balancing rules
>
>
>
>
>
> pass in on $int_if route-to { ($ext_if1 $ext_gw1),
> ($ext_if2 $ext_gw2) } round-robin proto tcp from
> $lan_net to any flags S/SA modulate statpass in on
> $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin proto { udp, icmp } from
> $lan_net to any keep state
> pass in on $dmz_if route-to { ($ext_if1 $ext_gw1),
> ($ext_if2 $ext_gw2) } round-robin proto tcp from
> $dmz_net to any flags S/SA modulate statpass in on
> $dmz_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin proto { udp, icmp } from
> $dmz_net to any keep state
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> # general pass out
> pass out on $ext_if1 proto tcp from any to any flags
> S/SA modulate state
> pass out on $ext_if1 proto { udp, icmp } from any to
> any keep state
> pass out on $ext_if2 proto tcp from any to any flags
> S/SA modulate state
> pass out on $ext_if2 proto { udp, icmp } from any to
> any keep state
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2)
> from
> $ext_if2 to any
> pass out on $ext_if2 route-to ($ext_if1 $ext_gw1)
> from
> $ext_if1 to any
>
>
>
>
>
>
> please help me,
>
> regards
> reza
>
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
