Hi all :
We've a firewall with 4 interfaces (2 outside to two differents routers and
ISP,1 inside and 1 DMZ),the machine is running a Squid web proxy too,
we wanna make balancing on outgoing connections only for the web traffic, we
have get to do that, and now the packets are going out on ext_if and ext_if2
but they're all coming back in ext_if, then wich are arising from traffic on
ext_if2 are rejected, maybe a NAT problem or is related to stateful
tables.....any idea?
This is the pf.conf :
#Interfaces
ext_if="em1"
int_if="em0"
ext_if2="em2"
dmz_if="rl0"
ext_gw="192.168.3.1"
ext_gw2="192.168.0.1"
loop="lo0"
#networks
ext_net="192.168.3.0/24"
int_net="192.168.1.0/24"
dmz_net="192.168.2.0/24"
#some hosts
dmz_host="192.168.2.2" #this is the mail server and fax (for internal
net) server
private = "{127.0.0.0/8 192.168.1.0/24 172.16.0.0/12 10.0.0.0/8}"
capaos= "{4099, 5090, 4661, 4662, 4665, 4672, 1214, 1863, 5190, 6891:6900,
4500,\ 59, 1080, 6660:6669, 113, 6699, 6257, 5000, 5001, 2234}"
#options
set block-policy drop
set loginterface $ext_if
set optimization normal
#set skip on $loop
#normalizations
scrub in on $ext_if all
scrub in on $ext_if2 all
#nat / rd
nat on $ext_if from !($ext_if) to any -> ($ext_if) #changed to that rules
to make the routing
nat on $ext_if2 from !($ext_if2) to any -> ($ext_if2)
rdr on $int_if inet proto tcp from any to any port www -> 192.168.1.1 port
8080 # squid rdr on $ext_if inet proto tcp from any to $ext_if port smtp ->
$dmz_host port smtp rdr on $int_if inet proto tcp from any to $dmz_host port
smtp -> $dmz_host port smtp rdr on $int_if inet proto tcp from any to
$dmz_host port pop3 -> $dmz_host port pop3 rdr on $int_if inet proto tcp
from any to $dmz_host port ssh -> $dmz_host port ssh rdr on $int_if inet
proto tcp from any to $dmz_host port 4559 -> $dmz_host port 4559 #hylafax
#rules
block in log all
block in quick inet6 all
block out quick inet6 all
#flags anti so escaner
block in log quick proto tcp all flags SF/SFRA block in log quick proto tcp
all flags SFUP/SFRAU block in log quick proto tcp all flags FPU/SFRAUP block
in log quick proto tcp all flags /SFRA block in log quick proto tcp all
flags F/SFRA block in log quick proto tcp all flags U/SFRAU block in log
quick proto tcp all flags P
#antispoof quick for {$int_if, $ext_if } #block return in log on $ext_if
proto {udp, tcp}all
#output load balancing tcp
pass out on $ext_if from any to any modulate state #I put first
that rule so the second match the web traffic
pass out log on $ext_if route-to \
{ ($ext_if $ext_gw), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from any to any port www keep state
pass in on $int_if all keep state
pass out log on $int_if inet proto udp from $dmz_host to 192.168.1.8 port 53
#NFS Memnoch (this is a NFS connection from DMZ to LAN) pass out log on
$int_if inet proto {tcp udp}to 192.168.1.48 port 111 pass out log on $int_if
inet proto {tcp udp}to 192.168.1.48 port 2049
pass in log on $dmz_if all keep state #still not refined
pass out log on $dmz_if all keep state
pass out log on $ext_if2 from any to any modulate state # ext_if2
outgoing rule
#route packets from any IPs on $ext_if to $ext_gw and $ext_if2 to $ext_gw2
#that's referenced in the FAQ..necessary? neither works..
#pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
modulate state #pass out on $ext_if2 route-to ($ext_if $ext_gw) from $ext_if
to any modulate state
block in log quick on $ext_if inet from any to {255.255.255.255,
213.172.59.151}
block return-rst in log quick on $ext_if proto tcp from any to any port \
{111, 1080, 6000, 6667, 139, 4662}
block in log quick on $ext_if2 inet from any to {255.255.255.255,
213.172.59.151}
block return-rst in log quick on $ext_if2 proto tcp from any to any port \
{111, 1080, 6000, 6667, 139, 4662}
#block return-rst in log quick on $int_if proto tcp from any to any port \
#{111,1080, 6000, 6667, 139, 4662}
#Bloqueo puertos
block out log quick on $ext_if proto tcp from any to any port $capaos
block out log quick on $ext_if2 proto tcp from any to any port $capaos
#proxy
pass in on $int_if inet proto tcp from any to 192.168.1.1 port 8080 keep
state
#ssh
pass in log on $int_if inet proto tcp from any to 192.168.1.1 port ssh keep
state
pass in log on $int_if inet proto tcp from any to 192.168.2.2 port ssh keep
state
#pass in log on $dmz_if inet proto tcp from $int_net to $dmz_host port ssh
keep state
#lo0
pass quick on lo0 all
----------------------------------------------------
Remember we want to balance the web outgoing traffic, generated by the Squid
proxy in the same machine....
Thks in advance and greetings from Spain....
Jose M;
