[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problem load balancing incoming connections



Oops,
I forgot to attach the new ruleset.
ext_if1="rl0"
gw_if1="200.177.74.1"
gw_if2="200.164.195.8"
ext_if2="tun0"
int_if="sis0"
lan_net=$int_if:network
tcp_INservices = "{ 22 }"
icmp_types = "echoreq"
priv_nets =  "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
intweb = "192.168.1.10"
# logging and pfstat
set loginterface $int_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
# internal web server
rdr on {$ext_if1,$ext_if2} proto tcp from any to any port 80 -> $intweb
# filter rules
# default deny
block in log from any to any
block out log from any to any
# loopback
pass quick on lo0 all
# Internal services on the LAN
pass in log on $ext_if1 from any to $intweb tag from_ef1 keep state
pass in log on $ext_if2 from any to $intweb tag from_ef2 keep state
# packets for the internal webserver
pass out log on $int_if reply-to ($ext_if1 $gw_if1) \
     from any to $intweb tagged from_ef1 keep state
pass out log on $int_if reply-to ($ext_if2 $gw_if2) \
     from any to $intweb tagged from_ef2 keep state
# from internal net to external services
pass in log on $int_if from $int_if:network to any keep state
# from firewall to internal network
pass out log on $int_if from $int_if to $int_if:network keep state
# firewall services
pass in log on $ext_if1 inet proto tcp from any to ($ext_if1) \
     port $tcp_INservices flags S/SA keep state
pass in log on $ext_if2 inet proto tcp from any to ($ext_if2) \
     port $tcp_INservices flags S/SA keep state
# icmp
pass in log-all inet proto icmp all icmp-type $icmp_types keep state label icmp
#pass in log-all on $ext_if1 reply-to ($ext_if1 $gw_if1) inet proto icmp all icmp-type $icmp_types keep state label icmp-if1
#pass in log-all on $ext_if2 reply-to ($ext_if2 $gw_if2) inet proto icmp all icmp-type $icmp_types keep state label icmp-if2
# outside services
pass out on $ext_if1 proto tcp all flags S/SA keep state
pass out on $ext_if2 proto tcp all flags S/SA keep state
pass out on $ext_if1 proto {udp icmp} all keep state
pass out on $ext_if2 proto {udp icmp} all keep state