[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [obsdfr-misc] Re: PF et plusieurs fournisseur d'accès Internet

Le mardi 17 novembre 2009 Ã 14:05 +0100, Laurent Cheylus a Ãcrit :
> C'est bien "reply-to" qu'il faut utiliser pour spÃcifier la gateway de
> sortie pour les paquets retour (SYN/ACK en rÃponse à la connexion
> entrante vers vos serveurs). Effectivement, il n'y a pas beaucoup de doc
> sur le sujet (pas d'exemple dans la manpage pf.conf, ni dans la FAQ, pas
> mieux dans le "Book of PF"...).

Ni dans le bouquin de Jacek Artymiak...

> Extrait de la manpage pf.conf :
> 
> reply-to 
[...]

Sans un exemple pour Ãtayer l'explication, c'est dur.

> Voir ce post qui donne un exemple de rÃgle PF avec reply-to :
> 
> http://lists.freebsd.org/pipermail/freebsd-pf/2005-November/001615.html

Voici ce que j'ai essayà :
=====================
nat log (all) on $WAN_IF from $LAN_NETWORK to any port { http } -> \
	($WAN_FAIb_CARP_IF)
nat log (all) on $WAN_IF from $LAN_NETWORK to any -> \
	($WAN_FAIa90_CARP_IF)

rdr log (all) on $WAN_IF proto tcp from any to $FAIa_IP_MAIN \
	port 8443 -> $DEMO_IP port https

pass out log (all) all
pass in quick log (all) on $WAN_IF \
	reply-to ( $WAN_FAIa90_CARP_IF 142.18.76.89 ) proto tcp \
	from any to $DEMO_IP port { http, https } flags S/SA
=====================

J'ai maintenant un comportement Ãtrange, plus rien n'apparait sur
l'interface pflog en sur le port 8443 :
=====================
OpenBSD-4.5 anubisA ~ # tcpdump -vvvv -nettti pflog0 host 88.191.98.203 and port 8443
tcpdump: listening on pflog0, link-type PFLOG
^C
2799 packets received by filter
0 packets dropped by kernel
OpenBSD-4.5 anubisA ~ #
=====================

Par contre, si je filtre sur le port de redirection interne :
=====================
OpenBSD-4.5 anubisA ~ # tcpdump -vvvv -nettti pflog0 host 88.191.98.203 and port 443
tcpdump: listening on pflog0, link-type PFLOG
Nov 17 23:33:56.568765 rule 39/(match) [uid 0, pid 16354] pass in on vr0: 88.191.98.203.41632 > 10.149.0.200.443: S 1086982160:1086982160(0) win 5840 <mss 1460,sackOK,timestamp 3906699572[|tcp]> (DF) (ttl 54, id 35108, len 60)
Nov 17 23:33:56.568858 rule 15/(match) [uid 0, pid 16354] pass out on vr2: 88.191.98.203.41632 > 10.149.0.200.443: S 1086982160:1086982160(0) win 5840 <mss 1460,sackOK,timestamp 3906699572[|tcp]> (DF) (ttl 53, id 35108, len 60)
Nov 17 23:33:56.569409 rule 15/(match) [uid 0, pid 16354] pass in on vr2: 10.149.0.200.443 > 88.191.98.203.41632: S 276258896:276258896(0) ack 1086982161 win 5792 <mss 1460,sackOK,timestamp 158753551[|tcp]> (DF) (ttl 64, id 0, len 60)
Nov 17 23:33:56.569462 rule 11/(match) [uid 0, pid 16354] rdr out on vr0: 10.149.0.200.443 > 88.191.98.203.41632: S 276258896:276258896(0) ack 1086982161 win 5792 <mss 1460,sackOK,timestamp 158753551[|tcp]> (DF) (ttl 63, id 0, len 60)
[...]
^C
1876 packets received by filter
0 packets dropped by kernel
OpenBSD-4.5 anubisA ~ #
=====================
On voit bien le paquet qui arrive, qui est ensuite translatà en interne,
puis revenir vers l'interface externe. 

Seulement, lorsque je capture vr0, je ne vois rien ressortir (en
filtrant sur le port d'Ãcoute externe) :
=====================
OpenBSD-4.5 anubisA ~ # tcpdump -vvvv -nettti vr0 host 88.191.98.203 and \( port 8443 or port 443 \)
tcpdump: listening on vr0, link-type EN10MB
Nov 18 00:19:14.922294 00:1d:a2:c2:ce:60 00:00:5e:00:01:04 0800 74: 88.191.98.203.54136 > 142.18.76.90.8443: S [tcp sum ok] 757957628:757957628(0) win 5840 <mss 1460,sackOK,timestamp 3907515101 0,nop,wscale 7> (DF) (ttl 54, id 28961, len 60)
^C
6087 packets received by filter
0 packets dropped by kernel
OpenBSD-4.5 anubisA ~ #
=====================

Par contre, si je filtre sur le port 443 sur l'interface interne, j'ai
ceci :
=====================
OpenBSD-4.5 anubisA ~ # tcpdump -vvvv -nettti vr2 host 88.191.98.203 and port 443
tcpdump: listening on vr2, link-type EN10MB
Nov 17 23:35:53.790108 00:00:24:cb:58:de 00:0c:29:3f:11:6f 0800 74: 88.191.98.203.47173 > 10.149.0.200.443: S [tcp sum ok] 2929174408:2929174408(0) win 5840 <mss 1460,sackOK,timestamp 3906734740 0,nop,wscale 7> (DF) (ttl 53, id 44316, len 60)
Nov 17 23:35:53.790715 00:0c:29:3f:11:6f 00:00:5e:00:01:02 0800 74: 10.149.0.200.443 > 88.191.98.203.47173: S [tcp sum ok] 421952315:421952315(0) ack 2929174409 win 5792 <mss 1460,sackOK,timestamp 158782852 3906734740,nop,wscale 7> (DF) (ttl 64, id 0, len 60)
Nov 17 23:35:56.794351 00:0c:29:3f:11:6f 00:00:5e:00:01:02 0800 74: 10.149.0.200.443 > 88.191.98.203.47173: S [tcp sum ok] 421952315:421952315(0) ack 2929174409 win 5792 <mss 1460,sackOK,timestamp 158783603 3906734740,nop,wscale 7> (DF) (ttl 64, id 0, len 60)
[...]
^C
24098 packets received by filter
0 packets dropped by kernel
OpenBSD-4.5 anubisA ~ #
====================

Pour rappel, je ne vois rien ressortir sur vr0, quel que soit le port
(8443 ou 443) :
====================
OpenBSD-4.5 anubisA ~ # tcpdump -vvvv -nettti vr0 host 88.191.98.203 and \( port 8443 or port 443 \)
tcpdump: listening on vr0, link-type EN10MB
Nov 18 00:23:16.802093 00:1d:a2:c2:ce:60 00:00:5e:00:01:04 0800 74: 88.191.98.203.41941 > 142.18.76.90.8443: S [tcp sum ok] 257437682:257437682(0) win 5840 <mss 1460,sackOK,timestamp 3907587661 0,nop,wscale 7> (DF) (ttl 54, id 8639, len 60)
Nov 18 00:23:17.801615 00:1d:a2:c2:ce:60 00:00:5e:00:01:04 0800 74: 88.191.98.203.41942 > 142.18.76.90.8443: S [tcp sum ok] 275041377:275041377(0) win 5840 <mss 1460,sackOK,timestamp 3907587962 0,nop,wscale 7> (DF) (ttl 54, id 49947, len 60)
^C
4701 packets received by filter
0 packets dropped by kernel
OpenBSD-4.5 anubisA ~ #
====================

Alors que, sans changer les rÃgles, les connexions initiÃes de
l'intÃrieur (Ã partir du serveur interne concernÃ) sont correctement
nattÃes :
====================
OpenBSD-4.5 anubisA ~ # tcpdump -vvvv -nettti pflog0 host 88.191.98.203 and port 80
tcpdump: listening on pflog0, link-type PFLOG
Nov 18 00:08:26.178774 rule 170/(match) [uid 0, pid 8113] pass in on vr2: 10.149.0.200.59399 > 88.191.98.203.80: S 2470268420:2470268420(0) win 5840 <mss 1460,sackOK,timestamp 159270884[|tcp]> (DF) (ttl 64, id 2528, len 60)
Nov 18 00:08:26.178873 rule 15/(match) [uid 0, pid 8113] pass out on vr0: 89.132.88.54.62277 > 88.191.98.203.80: S 2470268420:2470268420(0) win 5840 <mss 1460,sackOK,timestamp 159270884[|tcp]> (DF) (ttl 64, id 2528, len 60)
Nov 18 00:08:26.199044 rule 1/(match) [uid 0, pid 8113] nat in on vr0: 88.191.98.203.80 > 10.149.0.200.59399: S 3477865083:3477865083(0) ack 2470268421 win 5792 <mss 1460,sackOK,timestamp 3907320559[|tcp]> (DF) (ttl 59, id 0, len 60)
Nov 18 00:08:26.199095 rule 170/(match) [uid 0, pid 8113] pass out on vr2: 88.191.98.203.80 > 10.149.0.200.59399: S 3477865083:3477865083(0) ack 2470268421 win 5792 <mss 1460,sackOK,timestamp 3907320559[|tcp]> (DF) (ttl 58, id 0, len 60)
Nov 18 00:08:26.199595 rule 170/(match) [uid 0, pid 8113] pass in on vr2: 10.149.0.200.59399 > 88.191.98.203.80: . [tcp sum ok] 1:1(0) ack 1 win 46 <nop,nop,timestamp 159270890 3907320559> (DF) (ttl 64, id 2529, len 52)
Nov 18 00:08:26.199617 rule 1/(match) [uid 0, pid 8113] nat out on vr0: 89.132.88.54.62277 > 88.191.98.203.80: . [tcp sum ok] 2470268421:2470268421(0) ack 3477865084 win 46 <nop,nop,timestamp 159270890 3907320559> (DF) (ttl 64, id 2529, len 52)
[...]
^C
2474 packets received by filter
0 packets dropped by kernel
OpenBSD-4.5 anubisA ~ #
====================
CelÃ-dit, je me mÃprends peut-Ãtre sur l'utilisation des mots-clefs
"rdr" et "nat" dans les sorties de pflog0 suivant le sens des
connexions...

Je suis donc encore bloquÃ, mÃme s'il y a de fortes chances pour que
"reply-to" soit la bonne solution, je n'arrive pas à bien l'utiliser.

Je suis ouvert à toute suggestion. 

Bonne soirÃe,
-- 
Raph