Solved Why the use of two NICs?

[fred974]

Hi guys,

In my ongoing willingness to understand pf one day, I have been reading the Calomel.org howto a few times now.

I have a good understanding about what the example below does but I'm struggling to understand why they use two network interfaces (ExtIf and IntIf). I understand that ExtIf is a must as nothing will work otherwise, but what is the purpose of IntIf? Why would you want to redirect traffic to IntIf?

Thank you all in advance

Fred

#
### Calomel.org pf.conf
#
################ FreeBSD pf.conf ##########################
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match.
################ Macros ###################################

### Interfaces ###
ExtIf ="mxge0"
IntIf ="mxge1"

### Hosts ###
Windows ="10.10.10.3"
Xbox360 ="10.10.10.4"
phone ="10.10.10.5"
WorkSsh ="123.123.123.123"

### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/SA synproxy state"
TcpState ="flags S/SA modulate state"
UdpState ="keep state"

### Stateful Tracking Options (STO) ###
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
WebSTO ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

### Tables ###
table <BLOCKTEMP> counters
table <BLOCKPERM> counters file "/somedir/block_permanent"
table <spamd-white>

################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none

### Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}

################ Queueing ####################################################
# no quality of service (QOS) since it is not supported by the myricom 10gig
# mxge0 interface drivers and we would lose as much as 10% bandwidth anyways.
# for more information: https://calomel.org/pf_hfsc.html

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
#scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ExtIf all reassemble tcp fragment reassemble

################ Translation #################################################
### NAT and Redirection rules are first match

# NAT with static NAT for the XBOX360
nat on $ExtIf from $Xbox360 to any -> ($ExtIf) static-port
nat on $ExtIf from $IntIf:network to any -> ($ExtIf)

# Apache or Nginx (external users to an internal server?)
rdr on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port https -> 10.10.10.100
rdr on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port http -> 10.10.10.100

# OpenSMTPD or Postfix with Spamd
rdr on $ExtIf inet proto tcp from !<spamd-white> to ($ExtIf) port smtp -> 10.10.10.200 port spamd
rdr on $ExtIf inet proto tcp from <spamd-white> to ($ExtIf) port smtp -> 10.10.10.250

# Openssh
rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh -> lo0
rdr on $IntIf inet proto tcp from $Windows to $IntIf port ssh -> lo0

# Apache or Nginx (internal webserver for the LAN to localhost?)
rdr on $IntIf inet proto tcp from !($IntIf) to ($IntIf) port http -> lo0
rdr on $IntIf inet proto tcp from !($IntIf) to ($IntIf) port https -> lo0

# Bind or Unbound DNS for LAN machines
rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0

# Ntpd time server for the LAN
rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0

# Anchors
rdr-anchor "games"

# Ftp ( secure ftp-proxy for the internal LAN )
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $IntIf proto tcp from $IntIf:network to any port 21 -> 127.0.0.1 port 8021

# DENY rouge redirection
no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Notice we optimized the rules so external
# interface parsing is first followed by the internal interface.

### $ExtIf block abusive hosts in temp and perm tables
block drop in log quick on $ExtIf from <BLOCKPERM> to any
block drop in log quick on $ExtIf proto udp from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh

### $ExtIf default block with drop
block drop in log on $ExtIf

### $ExtIf inbound
pass in log on $ExtIf inet proto tcp from !($ExtIf) to 10.10.10.100 port https $TcpState $WebSTO
pass in log on $ExtIf inet proto tcp from !($ExtIf) to 10.10.10.100 port www $TcpState $WebSTO
pass in log on $ExtIf inet proto tcp from <spamd-white> to 10.10.10.250 port smtp $TcpState $SmtpSTO
pass in log on $ExtIf inet proto tcp from !<spamd-white> to 10.10.10.200 port spamd $TcpState $SmtpSTO
pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port ssh $TcpState $SshSTO

### $ExtIf outbound
pass out log on $ExtIf inet proto tcp from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
pass out log on $ExtIf inet proto udp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO

### $IntIf default block with return (TCP reset)
block return in log on $IntIf inet

### $IntIf inbound (restrict LAN clients to external machines here)
pass in log on $IntIf inet proto tcp from $IntIf:network to any port https $TcpState $OpenSTO
pass in log on $IntIf inet proto tcp from $IntIf:network to any port www $TcpState $OpenSTO
pass in log on $IntIf inet proto tcp from $Windows to lo0 port ssh $TcpState $OpenSTO
pass in log on $IntIf inet proto udp from $IntIf:network to lo0 port domain $UdpState $OpenSTO
pass in log on $IntIf inet proto udp from $IntIf:network to lo0 port ntp $UdpState $OpenSTO
pass in log on $IntIf inet proto icmp from $IntIf:network to $IntIf $IcmpPing $UdpState $OpenSTO

### $IntIf ftp secure secure proxy for LAN
anchor "ftp-proxy/*" in on $IntIf inet proto tcp

### $IntIf outbound
pass out log on $IntIf inet proto tcp from $IntIf to $IntIf:network $TcpState
pass out log on $IntIf inet proto udp from $IntIf to $IntIf:network $UdpState
pass out log on $IntIf inet proto icmp from $IntIf to $IntIf:network $UdpState

### Games ( Xbox 360, Xbox ONE, PS3, PS4 and PC )
anchor "games"

############# END of FreeBSD pf.conf https://calomel.org #######################

 

[DutchDaemon]

You would normally have two interfaces on a dedicated firewall that connects a WAN and a LAN (and maybe offers some services on its own as well). That is what FreeBSD servers are widely deployed for. They are the WAN gateway/firewall for a LAN. All my traffic at home, from the LAN, Netflix streams, VoIP, etc. is routed through my FreeBSD box, which does web and mail serving, VPNs and traffic shaping as well. All of that is protected and facilitated by PF on more than one NIC.

 

[wblock@]

For the firewall to be useful, it needs doors on both sides. ExtIf is the external interface, the door to the outside world, the internet. IntIf is the internal interface, the door to the local network.

 

[usdmatt]

This example is making use of PF in a fairly common way, where it basically provides the same function as your average DSL router. ExtIf is the WAN interface that connects to the Internet and IntIf is what would be the LAN interface, where you connect your computers. The computers on the LAN all access the Internet through the firewall using NAT. He's also passing a few ports through, so for instance accessing web (port 80) from the Internet, gets redirected to a web server on the LAN.

 

[fred974]

Wow, I couldn't wish for better replies, You guys really help me out here. Just one more question if that's okay.

My box currently has four network interfaces and two of these (bce0 and bce1) are coupled to make my lagg0 interface acting as failover:
/etc/rc.conf

cloned_interfaces="lagg0"
ifconfig_bce0="up"
ifconfig_bce1="up"
ifconfig_lagg0="laggproto lacp laggport bce0 laggport bce1"
ipv4_addrs_lagg0="192.168.1.185/24"
defaultrouter="192.168.1.1"

### Jail network interface aliases ###
ifconfig_lagg0_alias0="inet 192.168.1.145 netmask 255.255.255.0" # webjail
ifconfig_lagg0_alias1="inet 192.168.1.140 netmask 255.255.255.0" # sqljail
ifconfig_lagg0_alias2="inet 192.168.1.185 netmask 255.255.255.0" # mailjail

If I want to use the example above and adapt it to work with my jails, will I need to create another lagg1 interface using the two remaining interfaces?

My plan was to use them later as load balancing for the network/webjail.

Is there a way to combine them all together?

Thank you.

Fred