Vadim Goncharov a écrit :
Hi FreeBSD!
On Wed, 12 Nov 2008 17:22:13 -0500; FreeBSD wrote about 'RDR not triggered':
Quick explanation of my setup:
We have 2 webservers, a frontend and a backend. The frontend have a jail
for Lighttpd (images server) and Apache on the base system (for PHP).
There is one public IP associated to the jail on the public side of the
frontend server. There is only one internal private IP. The jail is
bound to 127.0.0.25 and a RDR on the external interface is redirecting
the traffic in the jail when the request arrive with it's public IP as
destination.
rdr on $EXT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD
port http
That's working great for external connections.
The problem is that the backend server needs to access the Lighttpd jail
by the public IP of the frontend server. I understand that I can't
redirect the traffic inside the jail with a RDR on the external
interface because the packets didn't passthrough the interface. That's
why I created I copy of the above RDR but on the internal interface.
rdr on $INT_IF proto tcp from any to $IMG_SERVER port http -> $LIGHTTPD
port http
That rule is never triggered even when the traffic, according to
tcpdump, is corresponding to the criteria. At the moment, the RDR for
the internal interface is just before the external one.
The pfctl -gvvvsn output for these 2 rules:
@0 rdr on bge1 inet proto tcp from any to 66.AAA.BB.66 port = http ->
127.0.0.25 port 80
[ Skip steps: d=end f=9 p=9 sa=end sp=12 da=2 dp=2 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
[ Evaluations: 91246 Packets: 0 Bytes: 0
States: 0 ]
@1 rdr on bge0 inet proto tcp from any to 66.AAA.BB.66 port = http ->
127.0.0.25 port 80
[ Skip steps: i=9 d=end f=9 p=9 sa=end sp=12 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
[ Evaluations: 91246 Packets: 3261224 Bytes: 2403004153
States: 2531 ]
[...]
Nothing is blocked on both of the servers. The packets are simply not
redirected and passed to the Apache on the base system of the frontend
server instead of going in the Lighttpd jail, only when coming the the
internal network.
I'm using FreeBSD 6.2 on the frontend and 7.0 on the backend.
It is possible that you have "set skip on $INT_IF" - in that case oll that
interface rules will not work. Or another reason, need to see complete pf
ruleset. Or try "rdr pass ..."
D'OH!!! You're right, there was a set skip on $INT_IF... I wasted all
mey afternoon trying to debug that. Thanks a lot for your reply. You
just made my day :)
Martin
I've asked some people, they tried similar (but not exact!) setup on 6.1/7.0,
it worked. So it may be a bug in your version of pf, if not ruleset.
The last possible reason - architectural flaw of pf, which binds IPs for states
to interfaces, in that case you will need to do ipfw fwd (can use both ipfw and
pf simultaneously).
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
