[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Loading Blance in OpenBSD 3.3 with pf



> > # pfctl -ss
> >>>>
> > tcp 192.168.1.7:1364 -> 100.100.100.1:32451 -> 127.0.0.1:8081
> > SYN_SENT:CLOSED
> > tcp 127.0.0.1:8081 <- ftp_site_addr:21 <- 192.168.1.7:1364
> > CLOSED:SYN_SENT
> > <<<
>
> Oops.  Missed that.  Need to add something like this to your rules:
>    pass in on $int_if proto tcp from $internal_net to 127.0.0.1 port
> 8081 flags S/SA keep state
>
> Right now it's getting passed through the route-to rules, so the
> local machine never actually sees the packets.
I try some manner,but still can't slove my question,
Maybe I got some bewilderment.
So I post my new pf.conf, and ask for your help.
1.although i set a rule for ICQ,
pass in on $int_if route-to ($ext_if1 $ext_gw1) round-robin proto tcp \
from $internal_net to any port 5190 flags S/SA modulate state
 but my icq still can't login to icq server smoothly
 (some times I can,and sometimes I can't.)
#pf -ss
tcp 64.12.161.153:5190 <- 192.168.1.7:1271       TIME_WAIT:TIME_WAIT
tcp 205.188.9.195:5190 <- 192.168.1.7:1276       TIME_WAIT:TIME_WAIT
tcp 192.168.1.7:1271 -> 211.21.32.58:13770 -> 64.12.161.153:5190       TIME_WAIT:TIME_WAIT
tcp 192.168.1.7:1276 -> 210.64.89.130:43488 -> 205.188.9.195:5190       TIME_WAIT:TIME_WAIT
2.I set a rule for ftp client with link to ftp site,
pass in on $int_if proto tcp \
from $internal_net to any port 8081 flags S/SA modulate state
 but just can't link to some sites...
I just can't link to ftp1:
#pf -ss
tcp ftp_site_add1:21 <- 192.168.1.7:1135       ESTABLISHED:ESTABLISHED
tcp ftp_site_add1:36838 <- 192.168.1.7:1137       FIN_WAIT_2:ESTABLISHED
tcp 192.168.1.7:1135 -> ext_if1:62450 -> ftp_site_add1:21       ESTABLISHED:FIN_WAIT_2
tcp 192.168.1.7:1137 -> ext_if2:28631 -> ftp_site_add1:36838       ESTABLISHED:ESTABLISHED
but I can link with others like ftp2:
#pf -ss
tcp ftp_site_add2:21 <- 192.168.1.7:1138       FIN_WAIT_2:FIN_WAIT_2
tcp ftp_site_add2:2878 <- 192.168.1.7:1142       FIN_WAIT_2:FIN_WAIT_2
tcp 192.168.1.7:1138 -> ext_if1:24283 -> 203.187.15.34:21       FIN_WAIT_2:FIN_WAIT_2
tcp 192.168.1.7:1142 -> ext_if2:6108 -> 203.187.15.34:2878       FIN_WAIT_2:FIN_WAIT_2
I don't know why?If ftp1 had any set is special?
Thanks for a lot.
-------------------------------------------------------------------------------
ext_if1 = "xl0" # replace with actual external interface name i.e., dc0
ext_if2 = "fxp0"# replace with actual external interface name i.e., dc0
int_if = "dc0"  # replace with actual internal interface name i.e., dc1
internal_net = "192.168.1.0/24"
ext_gw1 = "100.1.1.6"
ext_gw2 = "200.1.1.6"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if1 from $internal_net to any -> ($ext_if1)
nat on $ext_if2 from $internal_net to any -> ($ext_if2)
# Filtering: the implicit first two rules are
pass in all
pass out all
pass quick on lo0 all
# pass all outgoing packets on internal interface
pass out on $int_if from any to $internal_net
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $internal_net to $int_if
# ICQ
pass in on $int_if route-to ($ext_if1 $ext_gw1) round-robin proto tcp from $internal_net to any port 5190 flags S/SA modulate  state
#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $internal_net to any flags S/SA
modulate state
#  load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $internal_net to any
keep state
#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081
pass in on $int_if proto tcp from $internal_net to 127.0.0.1 port 8081 flags S/SA keep state
#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
--
*請加入連署抵制使用 RedHat Linux 8.0 後續版本的行動
http://www.slat.org/event/redhat-flag
*請支持並參與 Freenix 伺服文件撰寫驗證計畫
http://www.freenix-server.info
--
得 即 高 歌 失 即 休
任 多 悲 愁 也 悠 悠
青 松 影 裡 朦 朧 睡
燕 飛 無 樓 月 已 鉤
      風起雲湧II-幽靈