All pastes #13602 Raw Copy code Copy link Edit

Anonymous

public unlisted text v1 · immutable
#13602 ·published 2005-06-06 20:49 UTC
rendered paste body

                         ~~~
                       ( net )
                         ~~~
                          |
                          |
                          |
                      ----------
                     |  switch  |
                      ---------- 
                      /        \
                     /   VIP    \
             ----------      ----------
            |   FW1   |       |  FW2  |
             ----------      ----------
                    \    VIP   /
                     \        /
                     ----------
                    |  switch  |
                     ----------
                      /      \ 
                     /        \
              ----------     ----------
             | server1  |   | server2  |
              ----------     ----------


FW2
out XL2 204.18.109.138 
mid XL1 10.10.10.1
in XL0 172.16.0.2
shared carp 0-1-2 204.18.109.140
shared carp2 and carp 3 172.16.0.200

FW1
out XL2 204.18.109.139
mid XL1 10.10.10.2
in XL0 172.16.0.1
shared carp 0-1-2 204.18.109.140
shared carp2 and carp 3 172.16.0.200


SERVER 1
ip 172.16.0.100/24
GW 172.16.0.200 
172.16.0.101 SERVER 2

SERVER 2
ip 172.16.0.101/24
GW 172.16.0.200 



MES iconfig
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        inet6 fe80::201:3ff:febe:84d4%xl0 prefixlen 64 scopeid 0x1 
        ether 00:01:03:be:84:d4
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
        inet6 fe80::201:2ff:fe43:c106%xl1 prefixlen 64 scopeid 0x2 
        ether 00:01:02:43:c1:06
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        inet 204.18.109.139 netmask 0xfffffff8 broadcast 204.18.109.143
        inet6 fe80::240:caff:fe97:3c6c%xl2 prefixlen 64 scopeid 0x3 
        ether 00:40:ca:97:3c:6c
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000 
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
pfsync0: flags=41<UP,RUNNING> mtu 1348
        inet 10.10.10.1 netmask 0xff000000 
        pfsync: syncif: xl1 maxupd: 128
carp0: flags=41<UP,RUNNING> mtu 1500
        inet 204.18.109.140 netmask 0xfffffff8 
        inet 204.18.109.141 netmask 0xfffffff8 
        carp: BACKUP vhid 1 advbase 1 advskew 0
carp1: flags=41<UP,RUNNING> mtu 1500
        inet 204.18.109.140 netmask 0xfffffff8 
        inet 204.18.109.141 netmask 0xfffffff8 
        carp: BACKUP vhid 2 advbase 1 advskew 100
carp2: flags=41<UP,RUNNING> mtu 1500
        inet 172.16.0.200 netmask 0xffffff00 
        carp: BACKUP vhid 1 advbase 1 advskew 0
carp3: flags=41<UP,RUNNING> mtu 1500
        inet 172.16.0.200 netmask 0xffffff00 
        carp: BACKUP vhid 2 advbase 1 advskew 100


Mais je ne peux meme pas ping outside ni dns

voici pf.conf

set limit { states 20000, frags 20000 }
#set optimization aggressive
set optimization normal

set block-policy return

set debug loud

#
# Variable definitions.
#

# My ext_if interface. pf can also interpret ext_if_interface as an  ip.
# This is very practical for dynamic ips.
ext_if = "xl2"  
int_if = "xl0"
loop   = "lo0"
pfsync_if="xl1"
carp_intif = "carp2 carp3"
all_if = "{" $ext_if $int_if $carp_intif "}"
allint_if = "{" $int_if $carp_intif  "}"
  


internal_net="172.16.0.200"
external_addr="204.88.109.140"
carp_ext="204.18.109.140"
carp_int="172.16.0.200"
 


table <myinternal> { 172.16.0.1, 172.16.0.200}
table <allint> { $internal_net, 172.16.0.1, 172.16.0.2, 172.16.0.100, 172.16.0.101 }
table <asts> { 172.16.0.100, 172.16.0.101 }

#  TCP_OPTIONS = "flags S/SAFRUP keep state"
TCP_OPTIONS = "flags  keep state"

# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
  reserved = " {
        0.0.0.0/8,      10.0.0.0/8,     20.20.20.0/24,  127.0.0.0/8,
        169.254.0.0/16, 172.16.0.0/12,  192.0.2.0/24,   192.168.0.0/16,
        224.0.0.0/3,    255.255.255.255 } "

  server = "{ smtp, http , 4569, 5060}"

  allowed_outgoing = "{ ssh, smtp, finger, http, https, pop3, 4569, 5060, 1978,53  }"

scrub in on $ext_if all

pass in log-all all
pass out log-all all

#pfsync0
pass on $pfsync_if proto pfsync

#carp iface
pass quick log-all on { $ext_if $int_if } proto carp keep state
        
#local iface
pass out quick on lo0
pass in quick on lo0
  
#xl2 out
pass out log-all  on $ext_if all
pass in  log-all on $ext_if all

#xl0 inter
pass out log-all on $allint_if all
pass in  log-all on $allint_if all

 
pass out log-all on $ext_if keep state