[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Route-to dilema, more detail



Okay, I'm probably just being dense here, but I want to make sure I
understand the basic problem before shooting my mouth off.
Your problem is that you _want_ to round-robin the data connection, but it's
not, right?  Is the control connection going round-robin?  Are you talking
about an FTP server behind the firewall, and FTP server on the same machine
as the firewall, or are you talking about FTP clients?  Or all three? 
Thanks, and sorry for being dense...
-Dylan
> >--- George Pontis <[email protected]> wrote:
> >
> >> >From the pf user's guide:
> >>
> >> "The route-to option is used on traffic coming in on
> >> the internal interface
> >> to specify the outgoing network interfaces..."
> >>
> >> I followed this usage and the example in the user's
> >> guide to set up OpenBSD
> >> 3.5 to load-balance outgoing connections over two
> >> gateways. There is also
> >> some specific traffic routing to keep traffic local.
> >> For example, traffic to
> >> the same subnet as the gateway should go out that
> >> gateway and not be subject
> >> to round-robin. It seems to be working.
> >>
> >> However, this routing does not go as planned with a
> >> FTP transfer. I believe
> >> that this is due to ftpd. When ftpd makes the
> >> transfer request, the route-to
> >> rules are not evaluated since the traffic is not
> >> coming in on int_if, but is
> >> internally generated by the daemon. The result is
> >> that all FTP traffic flows
> >> through the first gateway.
> >>
> >> Is there a different way to use route-to that gets
> >> around this consequence
> >> of the daemon ?
> >>
> >> George
> >
> >Dear All
> >Can u have more detail on this one ? (ex; pf.conf)
> >"There is also some specific traffic routing to keep
> >traffic local. For example, traffic to the same subnet
> >as the gateway should go out that  gateway and not be
> >subject  to round-robin "
> >
> >regards
> >reza
> 
> The entire pf.conf, with some completely unrelated stuff trimmed, follows.
> The specific rules that keep local traffic local follow a comment about 50
> lines from the end:
> "ISP1 address blocks always go out ext_if1"
> 
> There is a line shortly above that which passes in traffic to ftpd. But the
> packet has already been redirected to 127.0.0.1 by that time, so it is not
> clear
> how to steer it to a specific interface based on the destination address.
> 
> All comments and constructive criticism welcome.
> 
> George
> 
> 
> 
>  
> ############################################################################
> #####
> # Macros and Tables (grouped here for convenience)
> ############################################################################
> #####
> int_if = "fxp0"
> ext_if1 = "fxp1"
> ext_if2 = "fxp2"
> lan_net = "192.168.1.0/24"
> ext_gw1 = a.b.c.193
> ext_gw2 = d.e.f.1
> modem_net1 = "192.168.254.0/24"
> modem_net2 = "192.168.253.0/24"
> 
> # ISP1 addresses to route directly
> table <isp1_addr> const {       \
>         ...                     \
> }
> 
> # ISP2 addresses to route directly
> table <isp2_addr> const {       \
>         ...				\
> }
> 
> # IP Addresses of computers allowed to make outgoing SMTP connections
> mail_servers = "{ 192.168.1.1, 192.168.1.2 }
> 
> # UDP Services
> # Note that some services like DNS responses are already allowed by keeping
> # state on outgoing UDP requests.
> udp_services = "{ ntp, syslog, tftp, bootps }"
> 
> # ICMP Packets allowed to reach the firewall machine
> icmp_types = "{ echoreq, unreach }"
> 
> # Blocked ports applied to outbound traffic
> blocked_outbound_tcp_ports = "{ bootpc, bootps, netbios-dgm, netbios-ns,
> netbios-ssn, smtp, ssdp }"
> blocked_outbound_udp_ports = "{ bootpc, bootps, netbios-dgm, netbios-ns,
> netbios-ssn, ssdp }"
> 
> ############################################################################
> #####
> # Options Section
> # Note that only one interface can be monitored for statistics at a time
> # Force state matching on an interface by interface basis
> ############################################################################
> #####
> set loginterface $ext_if2
> set block-policy drop
> 
> 
> ############################################################################
> #####
> # Normalization Section
> ############################################################################
> #####
> scrub in all
> 
> 
> ############################################################################
> #####
> # Queueing Section
> ############################################################################
> #####
> altq on $ext_if1 priq bandwidth 520Kb queue { q_pri1, q_def1 }
> queue q_pri1 priority 7
> queue q_def1 priority 1 priq(default)
> 
> altq on $ext_if2 priq bandwidth 356Kb queue { q_pri2, q_def2 }
> queue q_pri2 priority 7
> queue q_def2 priority 1 priq(default)
> 
> 
> ############################################################################
> #####
> # Translation Section
> # Specify how addresses are to be mapped or redirected.
> ############################################################################
> #####
> 
> # nat: packets going out through $ext_if1 with source address $internal_net
> will
> # get translated as coming from the address of $ext_if1, a state is created
> for
> # such packets, and incoming packets will be redirected to the internal
> address.
> # can't use $ext_if1 as a target since it will expand to all five addresses
> and try
> # to do outbound load balancing. A special rule is made to ensure that
> outgoing mail
> # appears to be from the mail address, .195
> #
> # NAT needs to be applied to each outgoing interface
> 
> nat on $ext_if1 from $lan_net to $modem_net1 -> 192.168.254.1
> nat on $ext_if1 from $lan_net to any port smtp -> a.b.c.195
> nat on $ext_if1 from $lan_net to any port != smtp -> a.b.c.199
> nat on $ext_if2 from $lan_net to $modem_net2 -> 192.168.253.1
> nat on $ext_if2 from $lan_net to any -> d.e.f.246
> 
> #
> # .195 - MAIL
> #
> # SMTP: packets coming in on $ext_if1 with destination a.b.c.195:25 will
> # be redirected to the mail server, port 25. A state is created for such
> packets,
> # and outgoing packets will be translated as coming from the external
> address.
> rdr on $ext_if1 proto tcp from any to a.b.c.195 port smtp -> 192.168.1.1
> port smtp
> 
> # FTP: send outgoing FTP requests to the ftp-proxy
> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> 
> ############################################################################
> #####
> # Filter Section
> ############################################################################
> #####
> 
> # Block everything by default
> block return in log on $int_if all label "Blocked in on int_if"
> block return out log on $int_if all label "Blocked out on int_if"
> block in on $ext_if1 all label "Blocked in on ext_if1"
> block out log on $ext_if1 all label "Blocked out on ext_if1"
> block in on $ext_if2 all label "Blocked in on ext_if2"
> block out log on $ext_if2 all label "Blocked out on ext_if2"
> 
> #
> # Anti-spoofing
> # Drop unroutable packets, avoid stopping genuine internal traffic
> #
> pass in quick on lo0 all keep state
> antispoof log for $int_if label "Spoofed packets on int_if"
> antispoof log for $ext_if1 label "Spoofed packets on ext_if1"
> antispoof log for $ext_if2 label "Spoofed packets on ext_if2"
> 
> #
> # Allow incoming connections to specific TCP services
> # Let pf complete the handshake with synproxy, to protect server from TCP
> SYN floods
> #
> pass in on $ext_if1 inet proto tcp from any to 192.168.1.1 port smtp \
>         flags S/SA keep state queue (q_def1, q_pri1) \
>         label "Incoming mail connection to port $dstport"
> 
> #
> # Backchannel for ftp-proxy
> #
> pass in on $ext_if1 inet proto tcp from any to $ext_if1 port > 49151 \
>         user proxy keep state queue (q_def1, q_pri1) \
>         label "FTP-PROXY connection allowed on ext_if1"
> 
> #
> # Allow and block specific incoming ICMP.
> # Return ICMP-unreachable for attempts to connect to port 113 (auth)
> #
> pass in on $ext_if1 inet proto icmp all icmp-type $icmp_types keep state
> pass in on $ext_if2 inet proto icmp all icmp-type $icmp_types keep state
> block return-icmp in quick on $ext_if1 proto tcp from any to any port auth \
>         label "Auth request on $ext_if1"
> block return-icmp in quick on $ext_if2 proto tcp from any to any port auth \
>         label "Auth request on $ext_if2"
> 
> 
> #
> # Rules for internal/lan interface
> # pass all outgoing packets on internal interface, keep state to respond to
> appropriate interface
> # pass in quick any packet destined for the gateway itself
> # route all outgoing smtp to ext_if1
> # drop all outgoing packets with a disallowed destination port
> # force all packets local to the providers (especially domain svc and mail)
> to go to them directly
> # load balance other outgoing tcp traffic from internal network
> # load balance outgoing udp and icmp traffic from internal network.
> #
> pass out on $int_if from any to $lan_net keep state
> pass in quick on $int_if from $lan_net to $int_if keep state
> pass in quick on $int_if proto tcp from $lan_net to 127.0.0.1 port = 8021 \
>         keep state label ftp-proxy
> pass in quick on $int_if \
>         route-to ($ext_if1 $ext_gw1) \
>         proto tcp from $mail_servers to any port = smtp flags S/SA keep
> state
> 
> block in quick log on $int_if proto tcp from any to any \
>         port $blocked_outbound_tcp_ports \
>         label "Blocked outbound tcp traffic to port $dstport"
> block in quick log on $int_if proto udp from any to any \
>         port $blocked_outbound_udp_ports \
>         label "Blocked outbound udp traffic to port $dstport"
> 
> # ISP1 address blocks always go out ext_if1
> pass in quick on $int_if \
>         route-to ($ext_if1 $ext_gw1) \
>         proto tcp from $lan_net to <isp1_addr> flags S/SA keep state
> 
> # ISP2 address blocks always go out ext_if2
> pass in quick on $int_if \
>         route-to ($ext_if2 $ext_gw2) \
>         proto tcp from $lan_net to <isp2_addr> flags S/SA keep state
> 
> # Round-robin all other TCP, UDP, and ICMP
> pass in quick on $int_if \
>         route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
>         proto tcp from $lan_net to any flags S/SA keep state
> pass in quick on $int_if \
>         route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
>         proto udp from $lan_net to any keep state
> pass in quick on $int_if \
>         route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
>         proto icmp from $lan_net to any keep state
> 
> #
> # Pass-out rules for external interfaces 
> # Allow all outgoing traffic, except limit outgoing smtp to mailservers.
> # Keep state to enable responses and ICMP associated with the connection.
> # Packets marked "lowdelay" or TCP ACKs w/o data will get priority
> #
> pass out on $ext_if1 proto tcp all flags S/SA keep state queue (q_def1,
> q_pri1)
> pass out on $ext_if1 proto { udp, icmp } all keep state
> 
> pass out on $ext_if2 proto tcp all flags S/SA keep state queue (q_def2,
> q_pri2)
> pass out on $ext_if2 proto { udp, icmp } all keep state
> 
> #
> # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
> ext_if2 to ext_gw2
> #
> pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any keep
> state
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any keep
> state
>