Re: Bacula File/Storage Connection Woes using PF

Greg Hennessy Tue, 25 Mar 2008 02:22:02 -0700

Doug Sampson wrote:

On Friday 21 March 2008 21:59:46 Doug Sampson wrote:
I want to back up a client running packet filter. I am
using Bacula to
backup this client to a Bacula server in the internal network. The
Bacula client has two interfaces- one external and one internal. The
client's internal IF is 192.168.1.25. The Bacula server is at
192.168.1.17.
When I attempt to contact the Bacula file daemon on the client, it
responds by sending packets to the Bacula server daemon at
a different
port. It should contact the storage daemon at port 9103 but
instead it
attempts to contact the storage daemon at a port address that is not
9103. Thus the backup job fails.

I've tried rdr to no avail. Here's my pf.conf:

mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf
use "pfctl -vvsr" instead of -nf to make sure you really getthe rulesthat are loaded and not those that you wanted to load.


mailfilter-root@/usr/local/etc# pfctl -vvsr
No ALTQ support in kernel
ALTQ related functions disabled
@0 scrub in all fragment reassemble
  [ Evaluations: 18953753  Packets: 9488185   Bytes: 0           States: 0
]
@0 block drop in log all
  [ Evaluations: 125309    Packets: 710       Bytes: 107361      States: 0
]
@1 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port = smtp flags
S/SA synproxy state
  [ Evaluations: 61682     Packets: 333       Bytes: 141046      States: 0
]
@2 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port = smtp flags
S/SA synproxy state
  [ Evaluations: 92705     Packets: 0         Bytes: 0           States: 0
]
@3 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port =
smtp flags S/SA synproxy state
  [ Evaluations: 78929     Packets: 0         Bytes: 0           States: 0
]
@4 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port =
ssh flags S/SA synproxy state
  [ Evaluations: 29478     Packets: 0         Bytes: 0           States: 0
]
@5 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
  [ Evaluations: 75458     Packets: 0         Bytes: 0           States: 0
]
@6 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
  [ Evaluations: 670       Packets: 0         Bytes: 0           States: 0
]
@7 block drop in log quick on rl0 inet from 172.16.0.0/12 to any
  [ Evaluations: 670       Packets: 0         Bytes: 0           States: 0
]
@8 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
  [ Evaluations: 670       Packets: 0         Bytes: 0           States: 0
]
@9 block drop out log quick on rl0 inet from any to 127.0.0.0/8
  [ Evaluations: 62532     Packets: 0         Bytes: 0           States: 0
]
@10 block drop out log quick on rl0 inet from any to 192.168.0.0/16
  [ Evaluations: 12557     Packets: 0         Bytes: 0           States: 0
]
@11 block drop out log quick on rl0 inet from any to 172.16.0.0/12
  [ Evaluations: 12557     Packets: 0         Bytes: 0           States: 0
]
@12 block drop out log quick on rl0 inet from any to 10.0.0.0/8
  [ Evaluations: 12557     Packets: 0         Bytes: 0           States: 0
]
@13 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
  [ Evaluations: 125309    Packets: 0         Bytes: 0           States: 0
]
@14 block drop in log quick inet from 192.168.1.25 to any
  [ Evaluations: 112752    Packets: 0         Bytes: 0           States: 0
]
@15 pass in on xl0 inet from 192.168.1.0/24 to any
  [ Evaluations: 61682     Packets: 60947     Bytes: 17390149    States: 0
]
@16 pass out log on xl0 inet from any to 192.168.1.0/24
  [ Evaluations: 124639    Packets: 51070     Bytes: 43963111    States: 0
]
@17 pass out log quick on xl0 inet from any to 10.8.0.0/24
  [ Evaluations: 51070     Packets: 0         Bytes: 0           States: 0
]
@18 pass out on rl0 proto tcp all flags S/SA modulate state
  [ Evaluations: 64297     Packets: 53895     Bytes: 42581384    States: 4
]
@19 pass out on rl0 proto udp all keep state
  [ Evaluations: 12557     Packets: 23586     Bytes: 1793665     States: 0
]
@20 pass out on rl0 proto icmp all keep state
  [ Evaluations: 12557     Packets: 0         Bytes: 0           States: 0
]
@21 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags
S/SA synproxy state
  [ Evaluations: 74239     Packets: 0         Bytes: 0           States: 0
]
@22 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep
state
  [ Evaluations: 112420    Packets: 0         Bytes: 0           States: 0
]
mailfilter-root@/usr/local/etc#

According to the output of "pfctl -vvsr", the packets are being allowed back
into the internal network which is what I want (according to rule #16).

That's part of the problem.....

Is there another way of writing rules that will enable the Bacula client to
pass packets to the correct port number?

Yes, make the 1st rule

   block log all

to drop both ingress and egress traffic by default.

Secondly get rid of the stateless rules. Use keep state everywhere, withflags S/SA if matching tcp traffic.



Regards

Greg




_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Bacula File/Storage Connection Woes using PF

Reply via email to