--- Jose Mejia <[EMAIL PROTECTED]> wrote:
>
> Hi all here we go again with that matter :
>
> We've a firewall with 4 interfaces (2 outside to two differents
> routers and
> ISPs,1 inside and 1 DMZ),the machine is running a Squid web proxy
> too, we
> wanna make balancing on outgoing connections only for the web
> traffic, we
> have get to do that, and now the packets are going out on ext_if and
> ext_if2
> but they're all coming back in ext_if, then wich are arising from
> traffic on
> ext_if2 are rejected, maybe a NAT problem or is related to stateful
> tables.....any idea?
>
> This is the pf.conf :
>
> #Interfaces
> ext_if="em1"
> int_if="em0"
> ext_if2="em2"
> dmz_if="rl0"
> ext_gw="192.168.3.1"
> ext_gw2="192.168.0.1"
> loop="lo0"
>
> #networks
> ext_net="192.168.3.0/24"
> int_net="192.168.1.0/24"
> dmz_net="192.168.2.0/24"
>
> #some hosts
> dmz_host="192.168.2.2" #this is the mail server and fax (for
> internal
> net) server
>
> private = "{127.0.0.0/8 192.168.1.0/24 172.16.0.0/12 10.0.0.0/8}"
>
> capaos= "{4099, 5090, 4661, 4662, 4665, 4672, 1214, 1863, 5190,
> 6891:6900,
> 4500,\ 59, 1080, 6660:6669, 113, 6699, 6257, 5000, 5001, 2234}"
>
> #options
> set block-policy drop
> set loginterface $ext_if
> set optimization normal
> #set skip on $loop
>
> #normalizations
> scrub in on $ext_if all
> scrub in on $ext_if2 all
>
> #nat / rd
> nat on $ext_if from !($ext_if) to any -> ($ext_if) #changed to that
> rules
> to make the routing
> nat on $ext_if2 from !($ext_if2) to any -> ($ext_if2)
>
NAT is correct, but this is not important right now.We are care about
squid.
check this http://www.benzedrine.cx/transquid.html
What is you default gateway?
>
> rdr on $int_if inet proto tcp from any to any port www -> 192.168.1.1
> port
> 8080 # squid rdr on $ext_if inet proto tcp from any to $ext_if port
> smtp ->
> $dmz_host port smtp rdr on $int_if inet proto tcp from any to
> $dmz_host port
> smtp -> $dmz_host port smtp rdr on $int_if inet proto tcp from any to
> $dmz_host port pop3 -> $dmz_host port pop3 rdr on $int_if inet proto
> tcp
> from any to $dmz_host port ssh -> $dmz_host port ssh rdr on $int_if
> inet
> proto tcp from any to $dmz_host port 4559 -> $dmz_host port 4559
> #hylafax
>
> #rules
> block in log all
> block in quick inet6 all
> block out quick inet6 all
>
> #flags anti so escaner
> block in log quick proto tcp all flags SF/SFRA block in log quick
> proto tcp
> all flags SFUP/SFRAU block in log quick proto tcp all flags
> FPU/SFRAUP block
> in log quick proto tcp all flags /SFRA block in log quick proto tcp
> all
> flags F/SFRA block in log quick proto tcp all flags U/SFRAU block in
> log
> quick proto tcp all flags P
>
> #antispoof quick for {$int_if, $ext_if } #block return in log on
> $ext_if
> proto {udp, tcp}all
>
>
> #output load balancing tcp
>
> pass out on $ext_if from any to any modulate state #I put first that
> rule so
> the second match the web traffic
>
> pass out log on $ext_if route-to \
> { ($ext_if $ext_gw), ($ext_if2 $ext_gw2) } round-robin \
> proto tcp from any to any port www keep state
>
My suggestion is to reorder your pf.conf
Order first $int_if then $int_if2 and etc...
Then you and others can read pf.conf with easy.
Down rule will work if your default gateway is on $ext_if
pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any
port www keep state probability 50%
>
> pass in on $int_if all keep state
> pass out log on $int_if inet proto udp from $dmz_host to 192.168.1.8
> port 53
>
> #NFS Memnoch (this is a NFS connection from DMZ to LAN I know is very
> insecure but is only for now) pass out log on $int_if inet proto {tcp
> udp}to
> 192.168.1.48 port 111 pass out log on $int_if inet proto {tcp udp}to
> 192.168.1.48 port 2049
>
> pass in log on $dmz_if all keep state #still not refined
> pass out log on $dmz_if all keep state
>
> pass out log on $ext_if2 from any to any modulate state # ext_if2
> outgoing
> rule
>
> #route packets from any IPs on $ext_if to $ext_gw and $ext_if2 to
> $ext_gw2
> ##that's referenced in the FAQ.....necessary?....neither works..
> #pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to
> any
> modulate state #pass out on $ext_if2 route-to ($ext_if $ext_gw) from
> $ext_if
> to any modulate state
>
>
> block in log quick on $ext_if inet from any to {255.255.255.255,
> 213.172.59.151} block return-rst in log quick on $ext_if proto tcp
> from any
> to any port \ {111, 1080, 6000, 6667, 139, 4662}
>
> block in log quick on $ext_if2 inet from any to {255.255.255.255,
> 213.172.59.151} block return-rst in log quick on $ext_if2 proto tcp
> from any
> to any port \ {111, 1080, 6000, 6667, 139, 4662}
>
> #block return-rst in log quick on $int_if proto tcp from any to any
> port \
> #{111,1080, 6000, 6667, 139, 4662}
>
>
> #Bloqueo puertos
> block out log quick on $ext_if proto tcp from any to any port $capaos
> block
> out log quick on $ext_if2 proto tcp from any to any port $capaos
> #some
> port-blocking
>
> #proxy
> pass in on $int_if inet proto tcp from any to 192.168.1.1 port 8080
> keep
> state
>
> #ssh
> pass in log on $int_if inet proto tcp from any to 192.168.1.1 port
> ssh keep
> state pass in log on $int_if inet proto tcp from any to 192.168.2.2
> port ssh
> keep state #pass in log on $dmz_if inet proto tcp from $int_net to
> $dmz_host
> port ssh keep state
>
> lo0 pass quick on lo0 all
>
> ----------------------------------------------------
>
> Remember we want to balance the web outgoing traffic, generated by
> the Squid
> proxy in the same machine....
>
> Thks in advance and greetings
>
> Jose M;
>
>
>
>
Can you give >>ifconfig output and /etc/mygate
Also try using pfctl -vsr and look whats going on on $ext_if and
$ext_if2.What is last mathed rule etc..
Cheers
Tihomir Koychev
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655
