FreeBSD 8.2 + if_bridge + pf
sysctls:
bridge0 members: ix0, ix1
/etc/pf-bridge.conf:
I am redirecting packets on port 80 from the bridge to localhost and then HAproxy is handling those connections properly. It gets interesting when I try to redirect the UDP packets on port 53. I would assume that it would redirect them from the bridge interface, but I have to specify the external interface for the rdr to be triggered. Anomaly aside, the rdr works on port 53 but it does not rewrite the source address of the packet on the return.
How would I rewrite the packet source to the original destination address once it is handled by localhost?
sysctls:
Code:
net.link.bridge.ipfw: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
bridge0 members: ix0, ix1
/etc/pf-bridge.conf:
Code:
ext_if = "ix0"
int_if = "ix1"
br_if = "bridge0"
int_net = "10.200.1.0/24"
ext_net = "10.200.1.0/24"
set timeout udp.first 300
set timeout udp.single 150
set timeout udp.multiple 900
scrub in all
rdr on $ext_if proto { tcp udp } from $ext_net to any port 53 -> 127.0.0.1
rdr on $br_if proto { tcp udp } from $ext_net to any port 80 -> 127.0.0.1
pass in quick log on $ext_if route-to (lo0 127.0.0.1) proto { tcp udp } from $ext_net to any port 53 keep state
pass out quick log on lo0 route-to (ix0 10.200.1.2) proto { tcp udp } from 127.0.0.1 port 53 to $ext_net keep state
pass in quick log on $br_if route-to (lo0 127.0.0.1) proto { tcp udp } from $ext_net to any port 80 keep state
pass out quick log on lo0 route-to (ix0 10.200.1.2) proto { tcp udp } from 127.0.0.1 port 80 to $ext_net keep state
I am redirecting packets on port 80 from the bridge to localhost and then HAproxy is handling those connections properly. It gets interesting when I try to redirect the UDP packets on port 53. I would assume that it would redirect them from the bridge interface, but I have to specify the external interface for the rdr to be triggered. Anomaly aside, the rdr works on port 53 but it does not rewrite the source address of the packet on the return.
Code:
Ex (host1.ext)->(bsd.ext->localhost)->(host1.ext)
dig [url]www.google.com[/url] @10.200.1.23
;; reply from unexpected source: 10.200.1.2#53, expected 10.200.1.23#53
How would I rewrite the packet source to the original destination address once it is handled by localhost?