pf and ipfw
Muhammad Reza
reza at mra.co.id
Tue Aug 10 06:09:06 PDT 2004
Max Laier wrote:
>On Monday 09 August 2004 09:07, Muhammad Reza wrote:
>
>
>>Dear Lists,
>>
>>can pf rule work together with ipfw rules ?
>>i need pf rule to do some outgoing load balance, but still need ipfw to
>>do some basic packet filtering, cause i have difficulty to set pf rules
>>default to block if it's apply with load balancing rules.
>>please enlight me..
>>
>>
>
>While it is possible to use pf and ipfw in conjunction, it is certainly
>preferable to settle for either one on its own. It should not be too much of
>a problem to get pf to do what you want/need. If you have more specific
>questions you can post to pf4freebsd at freelists.org
>
>
>
dear lists thank for the great repsonse, i'm new with pf ,
I have problem make pf redirect rule forwarding from net to my dmz
internal server,
Maybe the problem is, because i have load balancing outgoing connection
rule, that must have no default gateway.
If I apply default gateway, redirect rule work good, but no load
balancing at all.
this is my rules;
#macros
lan_net = "172.16.0.0/16"
dmz_net = "10.10.10.0/24"
int_if = "xl0"
dmz_if = "rl3"
ext_if1 = "rl0"
ext_if2 = "rl1"
ext_if = "{" $ext_if1 $ext_if2 "}"
gw1 = "202.xxx.254.3"
gw2 = "202.xxx.255.170"
ext_gw1 = "202.xxx.254.1"
ext_gw2 = "202.xxx.255.169"
server_dmz = "10.10.10.2/32"
server_ext = "202.xxx.254.4/32"
priv_nets = "{127.0.0.1/8 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12}"
# scrub incoming packets
scrub in all
# nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to any -> $gw1
nat on $ext_if2 from $lan_net to any -> $gw2
nat on $ext_if1 from $dmz_net to any -> $gw1
nat on $ext_if2 from $dmz_net to any -> $gw2
# smtp access from outside
rdr on $ext_if proto tcp from any to $server_ext port smtp ->
$server_dmz port smtp
# default to deny
block log all
# pass traffic on the loopback interface in either direction
pass quick on lo0 all
# no RFC1819
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# beastie
pass in on $int_if proto tcp from 172.16.0.228 to any port 22 keep state
# load balancing rules
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto tcp from $lan_net to any flags S/SA modulate statpass
in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto { udp, icmp } from $lan_net to any keep state
pass in on $dmz_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto tcp from $dmz_net to any flags S/SA modulate statpass
in on $dmz_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto { udp, icmp } from $dmz_net to any keep state
# general pass out
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
please help me,
regards
reza
More information about the freebsd-net
mailing list