[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How to use "synproxy state" instead "keep state" with rdr/nat connections ?



I am working with a common SMTP configuration in which connections are
treated with NAT and RDR to direct them to an internal mail server. It
seemed useful to apply synproxy to incoming traffic destined for the mail
server, but after changing statement from "keep state" to "synproxy state",
the mail server can't reply to the incoming connection. An entry shows up in
pflog0. I applied this to the "pass in on ext_if" rule near the bottom of
pf.conf.
Is it possible to accomplish what I am trying to do ?
George
-----------------------------
Relevant portions of pf.conf:
-----------------------------
int_if = "fxp0"
ext_if1 = "fxp1"
ext_if2 = "fxp2"
lan_net = "192.168.1.0/24"
ext_gw1 = a.b.c.193
ext_gw2 = d.e.f.1
# Make all SMTP appear to come from .195
# Make all other traffic on ext_if1 come from .199
nat on $ext_if1 from $lan_net to any port smtp -> a.b.c.195
nat on $ext_if1 from $lan_net to any port != smtp -> a.b.c.199
nat on $ext_if2 from $lan_net to any -> d.e.f.138      
# SMTP: packets coming in on $ext_if1 with destination a.b.c.195:25 will
# be redirected to the mail server, port 25. A state is created for such
packets,
# and outgoing packets will be translated as coming from the external
address.
rdr on $ext_if1 proto tcp from any to a.b.c.195 port smtp -> 192.168.1.1
port smtp
# default: block all
block in on $int_if
block out on $int_if
block in on { $ext_if1, $ext_if2 }
block out on { $ext_if1, $ext_if2 }
        
pass in quick on $int_if route-to \
        ($ext_if1 $ext_gw1) \
        proto tcp from any to any port = smtp flags S/SA keep state
pass in on $int_if route-to \
        { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
        proto tcp from any to any port != smtp flags S/SA keep state
pass out on $int_if from any to $lan_net keep state
# Allow incoming connections to mail server.
# Would like to use "synproxy state" instead of "keep state" but packets get
rejected
pass in on $ext_if1 inet proto tcp from any to 192.168.1.1 port smtp \
        flags S/SA keep state
pass out on $ext_if1 proto tcp all flags S/SA keep state
pass out on $ext_if2 proto tcp all flags S/SA keep state