PF, reply-to and synproxy

Nils Vogels bacardicoke+sender+38c70d at gmail.com
Sat Nov 5 06:13:06 PST 2005 

Hi there,

I currently have the situation where I use the pf route-to and reply-to
statements, to direct traffic the right way in my network.
My firewall has two ISP's connected to it, the default route is set to
ISP1. Their interfaces are called if_isp1 and if_isp2. I want to have a
webserver (server1) that is behind my firewall to be reachable using
both ISPs.

What I have seen, is that when I take the following ruleset:

rdr on $if_isp1 proto tcp from any to $ipv4_isp1 port $http  ->
$ipv4_imhotep port $http
rdr on $if_isp2 proto tcp from any to $ipv4_isp2 port $http  ->
$ipv4_imhotep port $http
pass in quick on $if_isp1 proto tcp from any port > 1023 to
$ipv4_server1 port \
    $http flags S/SA synproxy state queue (q_def_1, q_pri_1)
pass in quick on $if_isp2 reply-to ($if_isp2 $ipv4_gw_isp2 ) proto tcp
from any port > 1023 to $ipv4_server1 port \
    $http flags S/SA synproxy state queue (q_def_2, q_pri_2)

Traffic from $if_isp2 to my webserver seems to drop in my FreeBSD
5.3-RELEASE-p2 firewall, traffic from $if_isp1 works fine, whereas when
I use

rdr on $if_isp1 proto tcp from any to $ipv4_isp1 port $http  ->
$ipv4_imhotep port $http
rdr on $if_isp2 proto tcp from any to $ipv4_isp2 port $http  ->
$ipv4_imhotep port $http
pass in quick on $if_isp1 proto tcp from any port > 1023 to
$ipv4_server1 port \
    $http flags S/SA synproxy state queue (q_def_1, q_pri_1)
pass in quick on $if_isp2 reply-to ($if_isp2 $ipv4_gw_isp2 ) proto tcp
from any port > 1023 to $ipv4_server1 port \
    $http flags S/SA keep state queue (q_def_2, q_pri_2)

Both ISP interfaces can access my webserver. I've tried altering
everything else, but for some reason, only disabling synproxy and going
back to keep state gives me the result I want. Did I in some way run
into a bug, or is this documented somewhere ? (I couldn't find it)

Thanks,

Nils

-- 
Those who desire to give up freedom in order to gain security, will not have, nor do they deserve, either one.

~Benjamin Franklin (American Statesman, Scientist, Philosopher, Printer, Writer and Inventor. 1706-1790)

More information about the freebsd-pf mailing list