Re: port forwarding and ipfw rules

From: Richard Tector <richardtector_at_thekeelecentre.com>
Date: Fri, 19 Mar 2004 17:28:24 +0000
I don't think that this setup can be achieved using purely ipfw/natd. I think a
better approach would be to consider inserting a proxy between the two that
will do load balancing/failover. I believe squid can achieve this. It should do
round robin with requests to each server and if one does not respond then it
should continue by trying to request from the next server in the list.

Port 443 should be forwarded to the squid server instead (this could run on the
firewall box) and the squid server should be setup as a reverse proxy for the
two web servers. The squid homepage can help you with this.

In this setup, the client-server connection is then between the client's browser
and squid. Squid then makes its own connection to the server. If you have
'proper' certificates these will need to be put on the squid.

Hope this was of some help.

Kind regards,

Richard Tector
CAPL Ltd.


Quoting ktulu_at_net2000.com.au:

> Hi All,
> 
> I have posted this question before, but I don't think I made myself very
> clear
> in what I was hoping to achieve.  Hopefully, this post will help out.  
> 
> I have a situation where I have one network interface (fxp1) connected to
> the
> network with the IP address xxx.xxx.19.110 which is port forwarding (on port
> 443) to a host xxx.xxx.19.109.  Currently, this situation works fine.
> 
> The problem I'm having is that I have two of these machines doing the same
> thing
> and I require the ability for one machine to take over from the other in the
> event of a hardware failure, etc.  The diagram below basically shows what I
> want
> to achieve:
> 
> 
>          Internet
>         ----------
>             |
>             |
>             |
>     fxp1    |  fxp1
>    .19.110  |  .19.111
>             |  (alias)
>             |
>     -----------------
>     |      FW       |
>     | Default route |
>     |  xx.xx.19.225 |
>     |             |
>     -----------------
>             |
>            / \
>     fxp1  /   \ fxp1
>   .19.110/     \.19.111 (alias)
>         /       \
>        /         \
>       /           \
>      /             \
>     /               \
>    /                 \
>   /                   \
> -----               -----
> |   |               |   |
> |   |               |   |
> |   |               |   |
> |   |               |   |
> -----               -----
> Web Server          Web Server
> x.x.19.109:443      x.x.19.102:443
> 
> 
> This configuration must be able to be added and removed dynamically without
> effecting the existing network setup (other than changing ipfw rules). 
> Below
> are the relevant sections of my current configuration settings:
> 
> ***BEGIN /etc/rc.conf:
> network interfaces="fxp1 lo0"
> ifconfig_lo0="inet 127.0.0.1"
> ifconfig_fxp1="inet xxx.xxx.19.110 netmask 255.255.255.0"
> defaultrouter="xxx.xxx.19.225"
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="fxp1"
> natd_flags="-l -m -redirect_port tcp xxx.xxx.19.109:443 443"
> firewall_enable="YES"
> firewall_type="custom"
> firewall_script="/etc/rc.firewall"
> firewall_quiet="NO"
> tcp_extensions="YES"
> *** END /etc/rc.conf
> 
> *** BEGIN /etc/rc.firewall
> ############
> # Set the host IP address and the forwarding IP
> #
> # Set this to your ip address.
> ip="xxx.xxx.19.110"
> # Set this to the ip of the machine traffic on 443 is being forwarded to
> fwd_ip="xxx.xxx.19.109"
> # Set this to the IP of the machine this host is used as a failover for
> fail_ip="xxx.xxx.19.111"
> # Set this to the IP of the machine traffic on 443 of the failed host is
> being
> forwarded to
> fail_forward="xxx.xxx.19.102"
> # Set this to the port of the new natd daemon for the failover
> fail_natd="8669"
> 
> case ${firewall_type} in
> [Cc][Uu][Ss][Tt][Oo][Mm])
> 
>         case ${natd_enable} in
>         [Yy][Ee][Ss])
>                 if [ -n "${natd_interface}" ]; then
>                         ${fwcmd} add 50 divert natd all from any to any via
> ${natd_interface}
>                 fi
>                 ;;
>         esac
> 
>         # Allow anything outbound from this address.
>         ${fwcmd} add allow all from ${ip} to any out
> 
>         # Deny anything outbound from other addresses.
>         ${fwcmd} add deny log all from any to any out
> 
>         # Allow TCP through if setup succeeded.
>         ${fwcmd} add allow tcp from any to any established
> 
>         # Allow IP fragments to pass through.
>         ${fwcmd} add allow all from any to any frag
> 
>         # Allow inbound ftp, ssh, email, tcp-dns, http, https, pop3, pop3s.
>         ${fwcmd} add allow tcp from any to ${ip} 22 setup
>         ${fwcmd} add allow tcp from any to ${ip} 80 setup
> 
>         # This record has to be slightly different because this machine is
>         # not actually listening on port 443, but just forwarding traffic on
>         # port
>         ${fwcmd} add allow tcp from any to ${fwd_ip} 443
> 
>         # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol
>         # without logging.
>         ${fwcmd} add deny tcp from any to ${ip} 113 setup
>         ${fwcmd} add deny tcp from any to ${ip} 139 setup
>         ${fwcmd} add deny tcp from any to ${ip} 389 setup
>         ${fwcmd} add deny tcp from any to ${ip} 445 setup
> 
>         # Deny some chatty UDP broadcast protocols without logging.
>         ${fwcmd} add deny udp from any 137 to any
>         ${fwcmd} add deny udp from any to any 137
>         ${fwcmd} add deny udp from any 138 to any
>         ${fwcmd} add deny udp from any 513 to any
>         ${fwcmd} add deny udp from any 525 to any
> 
>         # Allow inbound DNS and NTP replies.  This is somewhat of a hole,
>         # since we're looking at the incoming port number, which can be
>         # faked, but that's just the way DNS and NTP work.
>         ${fwcmd} add allow udp from any 53 to ${ip}
>         ${fwcmd} add allow udp from any 123 to ${ip}
> 
>         # Allow inbound DNS queries.
>         ${fwcmd} add allow udp from any to ${ip} 53
> 
>         # Deny inbound NTP queries without logging.
>         ${fwcmd} add deny udp from any to ${ip} 123
> 
>         # Allow traceroute to function, but not to get in.
>         ${fwcmd} add unreach port udp from any to ${ip} 33435-33524
> 
>         # Allow some inbound icmps - echo reply, dest unreach, source
> quench,
>         # echo, ttl exceeded.
>         ${fwcmd} add allow icmp from any to any icmptypes 0,3,4,8,11
> 
>         # Everything else is denied and logged.
>         ${fwcmd} add deny log all from any to any
>         ;;
> *** END /etc/rc.firewall
> 
> 
> Basically, what I've done to try and add the other configuration to this box
> is
> as follows:
> 
> 1. Add the aliased IP to fxp1:
> ifconfig fxp1 inet xxx.xxx.19.111 netmask 255.255.255.255 alias
> 
> 2. Start the additional natd daemon:
> /sbin/natd -same_ports -use_sockets -port 8669 -alias_address xxx.xxx.19.111
> -redirect_port tcp xxx.xxx.19.102:443 xxx.xxx.19.111:443
> 
> 3. Change the ipfw rules to allow this new configuration through.  This is
> basically the same as the firewall rules above, but each entry is doubled,
> where
> ${ip} becomes ${fail_ip}.  In addition to this, another rule is entered in
> the
> "natd_enable" section to divert the new natd:
>         case ${natd_enable} in
>         [Yy][Ee][Ss])
>                 if [ -n "${natd_interface}" ]; then
>                         ${fwcmd} add 50 divert natd all from any to any via
> ${natd_interface}
>    ${fwcmd} add 50 divert ${fail_natd} all from any to any via
> ${natd_interface}
>                 fi
>                 ;;
>         esac
> 
> 
> Once I've added this, this port forwarding on xxx.xxx.19.110 still works,
> but
> the port forwarding on the aliased IP (xxx.xxx.19.111) doesn't!  I'm not
> sure
> exactly where the problem lies, but I assume it has something to do with my
> ipfw
> ruleset.  I looked at a previous post here:
> http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-March/000976.html that
> looks similar to my situation, but still no love.
> 
> If any could help out with the config, it'd be much appreciated!  I'm more
> than
> happy to provide any further config details, tcp dumps, etc.
> 
> Regards,
> Leigh
> _______________________________________________
> freebsd-ipfw_at_freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe_at_freebsd.org"
> 




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Received on Fri Mar 19 2004 - 08:34:49 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:48 UTC