[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF is not allowing SSH through - complicated by load balancing

To: misc@openbsd.org
Subject: PF is not allowing SSH through - complicated by load balancing
From: "Steven N. Fettig" <openbsd@stevenfettig.com>
Date: Sun, 02 May 2004 21:05:06 -0500
User-Agent: Mozilla Thunderbird 0.5 (Macintosh/20040208)

I have spent 4 days trying to figure this out from the pf faq and other 
web resources but can't figure out what I am doing wrong.  What you will 
see below is hours of messing with the rules until I can't figure out 
what I have done and not done anymore...
I have an OpenBSD 3.4 system with a Sangoma Dual CSU/DSU (T1) interface 
with 2 T1's supplied by my ISP.  The ISP has set up load balancing on 
their end to evenly bread the packets 50/50 across both T1's.  My 
experience is mainly with ipfw on FreeBSD, but pf obviously allows for 
more tweaking AND load balancing, so here I am. 
The problem is that I cannot ssh to clients behind the firewall and I 
can't figure out why.  My setup:

# define the interfaces

lan_net = "206.132.238.0/24"
int_if = "fxp0"
int_if_priv = "fxp1" # private addy interface
ext_if1 = "wpachdlc0"
ext_if2 = "wpbchdlc0"
ext_gw1 = "64.208.26.233"
ext_gw2 = "64.212.109.161"


# a few macros
icmp_types = "echoreq"
tcp_services = "{ 22, 113 }"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# scrub all
scrub in all

#  default deny
block log all

# pass all on internal loop
pass quick on lo0 all

# allow ssh and 113
pass log inet proto tcp from any to any \
        port $tcp_services flags S/SA keep state

# allow icmp
pass in inet proto icmp all icmp-type $icmp_types keep state

#  pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net

#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if

# load balance tcp
pass in on $int_if route-to \
        { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
        proto tcp from $lan_net to any flags S/SA modulate state

# load balance udp and icmp
pass in on $int_if route-to \
        proto { udp, icmp } from $lan_net to any keep state

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

# route packets on external interfaces through the appropriate
# gateway
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \
       to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \
       to any

Essentially, there are 4 interfaces on the machine.  wpachdlc0 and 
wpbchdlc0 are the T1 interfaces and fxp0 and fxp1 are the ethernet 
interfaces.  I want fxp0 to be the gateway address for the publicly 
addressed workstations/servers behind the router/firewall and fxp1 to be 
the router/gateway for the privately addressed machines behind the 
router/gateway.  Right now, I am not doing any nat, etc for fxp1 because 
I first want to get ssh from the outside through to 206.132.238.3.  
206.132.238.1 is currently set as the default gateway.  A sample of 
netstat -rn:

Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  
Interface
default            64.208.26.233      UGS         0        7      -   
wpachdlc0
10.6.18/24         link#2             UC          3        0      -   fxp1
10.6.18.1          0:9:5b:2:46:6e     UHLc        0        0      -   fxp1
10.6.18.10         0:6:5b:84:55:db    UHLc        0        8      -   fxp1
10.6.18.12         link#2             UHLc        2    38588      -   fxp1
10.6.18.16         127.0.0.1          UGHS        0        0  33224   lo0
64.208.26.233      64.208.26.234      UH          1       13      -   
wpachdlc0
64.212.109.161     64.212.109.162     UH          0        4      -   
wpbchdlc0
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          2        3  33224   lo0
206.132.238/24     link#1             UC          2        0      -   fxp0
206.132.238.1      0:a0:c9:26:a2:f    UHLc        0        6      -   lo0
206.132.238.12     0:a:95:b4:6c:c6    UHLc        2     5303      -   fxp0
224/4              127.0.0.1          URS         0        0  33224   lo0

Does anyone have any ideas as to why I cannot ssh in from the outside 
(everything else internally works fine - i.e. I can browse, ssh, etc. 
from a workstation behind the router/firewall)? 

TIA,
Steve Fettig

Prev by Date: Re: CPU throtteling on Notebooks (where is the option gone?)
Next by Date: Abort Trap
Prev by thread: Re: CPU throtteling on Notebooks (where is the option gone?)
Next by thread: Abort Trap
Index(es):
- Date
- Thread