Edit detail for openbsd pf revision 7 of 7

1 2 3 4 5 6 7
Editor: rgouveia
Time: 2011/01/24 20:14:27 GMT+1
Note:

added:
and <a href="http://www.openbsd.org/faq/faq6.html#Multipath">http://www.openbsd.org/faq/faq6.html#Multipath</a>

Using two ISPs? for outgoing traffic, one for DMZ while the other LAN

This was a test case and based on http://www.openbsd.org/faq/pf/pools.html#outgoing and http://www.openbsd.org/faq/faq6.html#Multipath



/etc/hostname.em0
inet 10.1.42.106/24
route add -mpath default 10.1.42.254
description ISP1

/etc/hostname.fxp0
inet 10.0.2.15/24
route add -mpath default 10.0.2.2
description ISP2

route -n show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            10.1.42.254        UGSP       1      165     -     8 em0  
default            10.0.2.2           UGSP       1      164     -     8 fxp0 
/etc/pf.conf
myhost=10.1.42.5

dmz_net = "172.16.1.0/24"
dmz_if  = "bge0"

lan_net = "192.168.66.0/24"
lan_if  = "re0"

ext_if1 = "em0"
ext_if2 = "fxp0"
ext_gw1 = "10.1.42.254"
ext_gw2 = "10.0.2.2"

set skip on lo0

### NAT
#  nat outgoing connections on each internet interface
match out on $ext_if1 from $dmz_net nat-to ($ext_if1)
match out on $ext_if2 from $lan_net nat-to ($ext_if2)

#  default deny
block log all


### LAN
#  pass all outgoing packets on internal interface
pass out on $lan_if to $lan_net
#  pass in quick any packets destined for the gateway itself
pass in quick on $lan_if from $lan_net to ($lan_if)
#  redirect outgoing lan traffic to ext_gw2
pass in on $lan_if from $lan_net route-to ($ext_if2 $ext_gw2)
### DMZ
#  pass all outgoing packets on DMZ interface
pass out on $dmz_if to $dmz_net
#  pass in quick any packets destined for the gateway itself
pass in quick on $dmz_if from $dmz_net to ($dmz_if)
#  redirect outgoing DMZ traffic to ext_gw1
pass in on $dmz_if from $dmz_net route-to ($ext_if1 $ext_gw1)

#  general "pass out" rules for external interfaces
pass out on $ext_if1
pass out on $ext_if2

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)

### SSH ACCESS
pass in quick on $ext_if1 proto tcp from $myhost to port ssh