Subject: Re: HELP w/pf (was ipf, DHCP & postfix)
To: None <netbsd-help@NetBSD.org>
From: Pimin <pimin@rockhead.com>
List: netbsd-help
Date: 11/11/2006 10:30:06
Tobias wrote:
> I don't think that kind of routing setup can be made with ipf.
> The provider will only route traffic originating from it's own
> ip address space due to spoofing issues.
> It might work if you switch to pf. (there's a kernel module available)
> Look at the pf.conf manual page and the reply-to keyword in
> particular.
>
> -Tobias
I misstated the sequence, the traffic on the "cable" interface (tlp1) is
in response to incoming traffic on the "DSL" interface (tlp0). I need
to redirect the packets with the "DSL" src addr to the "DSL" interface.
These pf rules compile but, don't seem to do what I need:
ext_if="tlp1"
int_if="re0"
dsl_if="tlp0"
dsl_ip="209.128.91.40/29"
set debug loud
pass out on $ext_if reply-to $dsl_if proto tcp from {$dsl_ip} to any
pass out on $ext_if reply-to $dsl_if proto udp from {$dsl_ip} to any
Clues about what I'm doing wrong are appreicated.
TIA,
Paul
>Pimin wrote:
>
>> Running NetBSD 3.0.1 & postfix 2.3.3.
>>
>> Apologies if I'm in the wrong list, being incredible dense and/or not including relevant
>> information.
>>
>> I've appended the ipf settings for tlp1 (cable). "Cable" is a DHCP connection.
>> When "cable" is up it is my default route. Postfix has been told (via inet_interfaces)
>> that it should use the "DSL" (rockhead.com) line. Things seem to work well except that
>> I get the following on the "cable" interface:
>>
>> 11:58:29.493860 IP rockhead.com.smtp > dsl-189-156-21-235.prod-infinitum.com.mx.2041: \
>> S 1045339041:1045339041(0) ack 331392030 win 32768 <mss 1460,sackOK,nop,nop>
>>
>> The "DSL" addr seems to be actually going out the "cable" interface, I get responses
>> on the "DSL" interface.
>>
>> I don't understand why the "DSL" ip addr is being used on the "cable" interface.
>> I must have to do something else to get the "cable" ipaddr to be used on the "cable"
>> interface? The ".smtp" traffic is the only traffic I see with the "DSL" ipaddr.
>> (Using "tcpdump -i tlp1 host rockhead.com")
>>
>> I use fetchmail to retrieve my "cable" mail so a complete remap of port 25 to "DSL"
>> doesn't seem doable.
>>
>> I thought the first 7 lines from the ipf.conf file would fix this problem?
>>
>> Assistance with this is appreciated.
>>
>> TIA,
>> Paul
>>
>> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.40 to any
>> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.41 to any
>> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.42 to any
>> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.43 to any
>> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.44 to any
>> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.45 to any
>> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.46 to any
>> pass out log quick on tlp1 to ppp0 proto tcp/udp from any to 172.17/24
>> block in log quick on tlp1 from any to 172.16.89.42 port = 25
>> block in log quick on tlp1 from any to 172.16.89.42 port = 25
>> pass out log quick on tlp1 to tlp0 from 209.128.91.40 to any
>> pass out log quick on tlp1 to tlp0 from 209.128.91.41 to any
>> pass out log quick on tlp1 to tlp0 from 209.128.91.42 to any
>> pass out log quick on tlp1 to tlp0 from 209.128.91.43 to any
>> pass out log quick on tlp1 to tlp0 from 209.128.91.44 to any
>> pass out log quick on tlp1 to tlp0 from 209.128.91.45 to any
>> pass out log quick on tlp1 to tlp0 from 209.128.91.46 to any
>> block in log quick on tlp1 proto icmp from any to w95.rockhead.com
>> block in log quick on tlp1 from any to w95.rockhead.com port = 376
>> block in log quick on tlp1 from any to w95.rockhead.com port = 25
>> block in log quick on tlp1 from any to w95.rockhead.com port = 80
>> block in log quick on tlp1 from any to w95.rockhead.com port = 134
>> block out log quick on tlp1 from any to w95.rockhead.com port = 135
>> block in log quick on tlp1 from any to w95.rockhead.com port = 135
>> block in log quick on tlp1 from any to w95.rockhead.com port = 136
>> block in log quick on tlp1 from any to w95.rockhead.com port = 160
>> block in log quick on tlp1 from any to w95.rockhead.com port = 445
>> block out log quick on tlp1 from any to w95.rockhead.com port = 445
>> block out log quick on tlp1 from any to w95.rockhead.com port = 1024
>> block out log quick on tlp1 from any to w95.rockhead.com port = 1080
>> block out log quick on tlp1 from any to w95.rockhead.com port = 2000
>> block out log quick on tlp1 from any to w95.rockhead.com port = 2001
>> block in log quick on tlp1 from any to w95.rockhead.com port = 5554
>> block out log quick on tlp1 from any to w95.rockhead.com port = 5554
>> block in log quick on tlp1 from any to w95.rockhead.com port = 5742
>> block out log quick on tlp1 from any to w95.rockhead.com port = 5742
>> block in log quick on tlp1 from any to w95.rockhead.com port = 9996
>> block out log quick on tlp1 from any to w95.rockhead.com port = 9996
>> block out log quick on tlp1 from any to w95.rockhead.com port = 12345
>> block out log quick on tlp1 from any to w95.rockhead.com port = 12346
>> block out log quick on tlp1 from any to w95.rockhead.com port = 20034
>> block out log quick on tlp1 from any to w95.rockhead.com port = 31337
>> block out log quick on tlp1 from any to w95.rockhead.com port = 40421
>> block out log quick on tlp1 from any to w95.rockhead.com port = 40425
>> block out log quick on tlp1 from any to w95.rockhead.com port = 54320
>> block in log quick on tlp1 proto icmp from any to pauls-pc
>> block in log quick on tlp1 from any to pauls-pc port = 376
>> block in log quick on tlp1 from any to pauls-pc port = 25
>> block in log quick on tlp1 from any to pauls-pc port = 80
>> block in log quick on tlp1 from any to pauls-pc port = 134
>> block out log quick on tlp1 from any to pauls-pc port = 135
>> block in log quick on tlp1 from any to pauls-pc port = 135
>> block in log quick on tlp1 from any to pauls-pc port = 136
>> block in log quick on tlp1 from any to pauls-pc port = 160
>> block in log quick on tlp1 from any to pauls-pc port = 445
>> block out log quick on tlp1 from any to pauls-pc port = 445
>> block out log quick on tlp1 from any to pauls-pc port = 1024
>> block out log quick on tlp1 from any to pauls-pc port = 1080
>> block out log quick on tlp1 from any to pauls-pc port = 2000
>> block out log quick on tlp1 from any to pauls-pc port = 2001
>> block in log quick on tlp1 from any to pauls-pc port = 5554
>> block out log quick on tlp1 from any to pauls-pc port = 5554
>> block in log quick on tlp1 from any to pauls-pc port = 5742
>> block out log quick on tlp1 from any to pauls-pc port = 5742
>> block in log quick on tlp1 from any to pauls-pc port = 9996
>> block out log quick on tlp1 from any to pauls-pc port = 9996
>> block out log quick on tlp1 from any to pauls-pc port = 12345
>> block out log quick on tlp1 from any to pauls-pc port = 12346
>> block out log quick on tlp1 from any to pauls-pc port = 20034
>> block out log quick on tlp1 from any to pauls-pc port = 31337
>> block out log quick on tlp1 from any to pauls-pc port = 40421
>> block out log quick on tlp1 from any to pauls-pc port = 40425
>> block out log quick on tlp1 from any to pauls-pc port = 54320
>> block in log quick on tlp1 proto icmp from any to glorias-pc.rockhead.com
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 376
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 25
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 80
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 134
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 135
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 135
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 136
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 160
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 445
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 445
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 1024
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 1080
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 2000
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 2001
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 5554
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 5554
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 5742
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 5742
>> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 9996
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 9996
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 12345
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 12346
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 20034
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 31337
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 40421
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 40425
>> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 54320
>> block in log quick on tlp1 proto icmp from any to glorias-pc
>> block in log quick on tlp1 from any to glorias-pc port = 376
>> block in log quick on tlp1 from any to glorias-pc port = 80
>> block in log quick on tlp1 from any to glorias-pc port = 134
>> block out log quick on tlp1 from any to glorias-pc port = 135
>> block in log quick on tlp1 from any to glorias-pc port = 135
>> block in log quick on tlp1 from any to glorias-pc port = 136
>> block in log quick on tlp1 from any to glorias-pc port = 160
>> block in log quick on tlp1 from any to glorias-pc port = 445
>> block out log quick on tlp1 from any to glorias-pc port = 445
>> block in log quick on tlp1 from any to glorias-pc port = 5554
>> block out log quick on tlp1 from any to glorias-pc port = 5554
>> block in log quick on tlp1 from any to glorias-pc port = 5742
>> block out log quick on tlp1 from any to glorias-pc port = 5742
>> block in log quick on tlp1 from any to glorias-pc port = 9996
>> block out log quick on tlp1 from any to glorias-pc port = 9996
>> block out log quick on tlp1 from any to glorias-pc port = 12345
>> block out log quick on tlp1 from any to glorias-pc port = 12346
>> block out log quick on tlp1 from any to glorias-pc port = 20034
>> block out log quick on tlp1 from any to glorias-pc port = 31337
>> block out log quick on tlp1 from any to glorias-pc port = 40421
>> block out log quick on tlp1 from any to glorias-pc port = 40425
>> block out log quick on tlp1 from any to glorias-pc port = 54320
>> block out log quick on tlp1 from any to shell4.bayarea.net port = 25
>> block out log quick on tlp1 from any to shell4.bayarea.net port = 109
>> block out log quick on tlp1 from any to shell4.bayarea.net port = 110
>> block out log quick on tlp1 from any to smtpout1.bayarea.net port = 25
>> block out log quick on tlp1 from any to smtpout1.bayarea.net port = 109
>> block out log quick on tlp1 from any to smtpout1.bayarea.net port = 110
>> block out log quick on tlp1 from any to 205.219.84.13
>> block out log quick on tlp1 from any to mail.bayarea.net port = 25
>> block out log quick on tlp1 from any to mail.bayarea.net port = 109
>> block out log quick on tlp1 from any to mail.bayarea.net port = 110
>> pass in log on tlp1 proto tcp/udp from any to any port = 22 # ssh/scp
>> pass in log on tlp1 proto tcp/udp from any to any port = 2222 # ssh/scp
>> pass in log on tlp1 proto tcp/udp from any to any port = 22022 # ssh/scp
>> pass in log on tlp1 proto tcp/udp from any to any port = 22222 # ssh/scp
>> block in log on tlp1 proto tcp/udp from any to any port = 13 # daytime
>> block in log on tlp1 proto tcp/udp from any to any port = 19 # chargen
>> block out log on tlp1 proto tcp/udp from any to any port = 19 # chargen
>> block in log on tlp1 proto tcp/udp from any to any port = 21 # ftp
>> block in log on tlp1 proto tcp/udp from any to any port = 23 # telnet
>> block in log on tlp1 from any to any port = 23 # telnet
>> block in log on tlp1 proto tcp/udp from any to any port = 79 # finger
>> block in log on tlp1 proto tcp/udp from any to any port = 80 # www ... because at home blocks them anyway
>> block in log on tlp1 proto tcp/udp from any to any port = 109 # pop2 ... because at home blocks them anyway
>> block in log on tlp1 proto tcp/udp from any to any port = 110 # pop3 ... because at home blocks them anyway
>> block in log on tlp1 proto tcp/udp from any to any port = 111 # sunrpc
>> block in log on tlp1 proto tcp/udp from any to any port = 119 # news
>> block out log on tlp1 proto tcp/udp from any to any port = 135 # loc-srv
>> block out log on tlp1 proto tcp/udp from any to any port = 137 # NETBIOS Name Service
>> block in log on tlp1 proto tcp/udp from any to any port = 137 # NETBIOS Name Service
>> block out log on tlp1 proto tcp/udp from any to any port = 138 # NETBIOS Datagram Serive
>> block in log on tlp1 proto tcp/udp from any to any port = 138 # NETBIOS Datagram Serive
>> block out log on tlp1 proto tcp/udp from any to any port = 139 # NETBIOS Session Service
>> block in log on tlp1 proto tcp/udp from any to any port = 139 # NETBIOS Session Service
>> block in log on tlp1 proto tcp/udp from any to any port = 143 # imap3
>> block in log on tlp1 proto tcp/udp from any to any port = 161 # snmp
>> block in log on tlp1 proto tcp/udp from any to any port = 177 # xdmcp
>> block in log on tlp1 proto tcp/udp from any to any port = 213 # IPX
>> block in log on tlp1 proto tcp/udp from any to any port = 396 # netware-ip
>> block in log on tlp1 proto tcp/udp from any to any port = 445 # microsoft-ds
>> block in log on tlp1 proto tcp/udp from any to any port = 512 # exec/biff
>> block in log on tlp1 proto tcp/udp from any to any port = 513 # who/rlogin
>> block in log on tlp1 proto tcp/udp from any to any port = 514 # shell/syslog
>> block in log on tlp1 proto tcp/udp from any to any port = 515 # print spool
>> block out log on tlp1 proto tcp/udp from any to any port = 520 # route
>> block in log on tlp1 proto tcp/udp from any to any port = 525 # timed
>> block in log on tlp1 proto tcp/udp from any to any port = 540 # uucp
>> block in log on tlp1 proto tcp/udp from any to any port = 541 # rdist
>> block in log on tlp1 proto tcp/udp from any to any port = 556 # remotefs
>> block in log on tlp1 proto tcp/udp from any to any port = 587 # submission
>> block in log on tlp1 proto tcp/udp from any to any port = 2049 # nfs
>> block in log on tlp1 proto tcp/udp from any to any port = 3128 # squid-http
>> block in log on tlp1 proto tcp/udp from any to any port = 6000 # X11 Window system
>> block in log on tlp1 proto tcp/udp from any to any port = 8888 # sun-answerbook
>> block in log on tlp1 proto tcp/udp from any to any port = 9119 # HTTPD news