List Info

Thread: Bacula File/Storage Connection Woes using PF
Bacula File/Storage Connection Woes using PF
country flaguser name
United States		 2008-03-21 15:59:46 
I want to back up a client running packet filter. I am using
Bacula to
backup this client to a Bacula server in the internal
network. The Bacula
client has two interfaces- one external and one internal.
The client's
internal IF is 192.168.1.25. The Bacula server is at
192.168.1.17.

When I attempt to contact the Bacula file daemon on the
client, it responds
by sending packets to the Bacula server daemon at a
different port. It
should contact the storage daemon at port 9103 but instead
it attempts to
contact the storage daemon at a port address that is not
9103. Thus the
backup job fails.

I've tried rdr to no avail. Here's my pf.conf:

mailfilter/usr/local/etc# pfctl -vvnf /etc/pf.conf
ext_if = "rl0"
int_if = "xl0"
internal_net = "192.168.1.1/24"
external_addr = "xxx.xxx.xxx.xxx"
vpn_net = "10.8.0.0/24"
icmp_types = "echoreq"
NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16
172.16.0.0/12 10.0.0.0/8 }"
webserver1 = "192.168.1.4"
set skip on 
set skip on 
0
scrub in all fragment reassemble
1
nat on rl0 inet from 192.168.1.0/24 to any -> (rl0)
round-robin
2
nat on rl0 inet from 10.8.0.0/24 to any -> (rl0)
round-robin
3
rdr on rl0 inet proto tcp from any to xxx.xxx.xxx.xxx port =
http ->
192.168.1.4 port 80
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file
"/usr/local/etc/spamd/spamd-mywhite"
4
rdr pass inet proto tcp from <spamd-white:0> to
xxx.xxx.xxx.xxx port =
smtp -> 127.0.0.1 port 25
5
rdr pass inet proto tcp from <spamd:0> to
xxx.xxx.xxx.xxx port = smtp ->
127.0.0.1 port 8025
6
rdr pass inet proto tcp from ! <spamd-mywhite:0> to
xxx.xxx.xxx.xxx port
= smtp -> 127.0.0.1 port 8025
7
block drop in log all
8
pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port
= smtp flags
S/SA synproxy state
9
pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port
= smtp flags
S/SA synproxy state
10
pass in log inet proto tcp from 192.168.1.0/24 to
192.168.1.25 port =
smtp flags S/SA synproxy state
11
pass in log quick on xl0 inet proto tcp from any to
192.168.1.25 port =
ssh flags S/SA synproxy state
12
block drop in log quick on rl0 inet from 127.0.0.0/8 to any
13
block drop in log quick on rl0 inet from 192.168.0.0/16 to
any
14
block drop in log quick on rl0 inet from 172.16.0.0/12 to
any
15
block drop in log quick on rl0 inet from 10.0.0.0/8 to any
16
block drop out log quick on rl0 inet from any to
127.0.0.0/8
17
block drop out log quick on rl0 inet from any to
192.168.0.0/16
18
block drop out log quick on rl0 inet from any to
172.16.0.0/12
19
block drop out log quick on rl0 inet from any to 10.0.0.0/8
20
block drop in log quick on ! xl0 inet from 192.168.1.0/24 to
any
21
block drop in log quick inet from 192.168.1.25 to any
22
pass in on xl0 inet from 192.168.1.0/24 to any
23
pass out log on xl0 inet from any to 192.168.1.0/24
24
pass out log quick on xl0 inet from any to 10.8.0.0/24
25
pass out on rl0 proto tcp all flags S/SA modulate state
26
pass out on rl0 proto udp all keep state
27
pass out on rl0 proto icmp all keep state
28
pass in on rl0 inet proto tcp from any to 192.168.1.4 port =
http flags
S/SA synproxy state
29
pass in on xl0 inet proto tcp from any to 192.168.1.25 port
= ssh keep
state
warning: macro 'icmp_types' not used
mailfilter/usr/local/etc#

mailfilter~# tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture size 96
bytes
000000 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: S 3943875170:3943875170(0) ack
2725840709 win 65535 <mss
1460,nop,wscale 1,[|tcp]>
005364 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: P 1:63(62) ack 39 win 33304
<nop,nop,timestamp
16163436[|tcp]>
000465 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: P 63:80(17) ack 66 win 33304
<nop,nop,timestamp
16163436[|tcp]>
000387 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: P 80:107(27) ack 125 win 33304
<nop,nop,timestamp
16163436[|tcp]>
002063 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: P 107:125(18) ack 142 win 33304
<nop,nop,timestamp
16163439[|tcp]>
002249 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: P 125:203(78) ack 271 win 33304
<nop,nop,timestamp
16163441[|tcp]>
100679 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: . ack 289 win 33304
<nop,nop,timestamp 16163542[|tcp]>
000913 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: P 203:223(20) ack 612 win 33304
<nop,nop,timestamp
16163542[|tcp]>
000396 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: P 223:241(18) ack 643 win 33304
<nop,nop,timestamp
16163543[|tcp]>
099682 rule 16/0(match): pass out on xl0: 192.168.1.25.9102
>
192.168.1.17.54569: . ack 699 win 33304
<nop,nop,timestamp 16163643[|tcp]>

Why is the Bacula file daemon trying to contact the Bacula
storage daemon at
port 54569 instead of port 9103? I'm guessing that rule 23
is responsible
for these log entries but am not sure as these entries
points to rule 16 as
the matching rule. I am baffled by this as these entries do
not use
127.0.0.1 nor the rl0 interface.

What should happen is that the Bacula director daemon
contacts the client's
Bacula file daemon at port 9102 from port 9101. The file
daemon on the
client should contact the Bacula storage daemon at port 9103
using port 9102
and executes the backup routine. More details at:

http://bacula.org/en/rel-manual/Deal
ing_with_Firewalls.html#SECTION004722000
000000000000

The section suggests using port forwarding to redirect
packets to port 9103
but I have been unsuccessful. Please note that there is no
firewall between
the client and the server- only that the mailfilter client
runs pf.

My Bacula config on the server works fine as it can back up
LAN clients that
are not using packet filter.

~Doug
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: Bacula File/Storage Connection Woes using PF
user name
 2008-03-21 16:45:14 
On Friday 21 March 2008 21:59:46 Doug Sampson wrote:
> I want to back up a client running packet filter. I am
using Bacula to
> backup this client to a Bacula server in the internal
network. The
> Bacula client has two interfaces- one external and one
internal. The
> client's internal IF is 192.168.1.25. The Bacula server
is at
> 192.168.1.17.
>
> When I attempt to contact the Bacula file daemon on the
client, it
> responds by sending packets to the Bacula server daemon
at a different
> port. It should contact the storage daemon at port 9103
but instead it
> attempts to contact the storage daemon at a port
address that is not
> 9103. Thus the backup job fails.
>
> I've tried rdr to no avail. Here's my pf.conf:
>
> mailfilter/usr/local/etc# pfctl -vvnf /etc/pf.conf

use "pfctl -vvsr" instead of -nf to make sure you
really get the rules 
that are loaded and not those that you wanted to load.

> ext_if = "rl0"
> int_if = "xl0"
> internal_net = "192.168.1.1/24"
> external_addr = "xxx.xxx.xxx.xxx"
> vpn_net = "10.8.0.0/24"
> icmp_types = "echoreq"
> NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16
172.16.0.0/12 10.0.0.0/8 }"
> webserver1 = "192.168.1.4"
> set skip on 
> set skip on 
> 0 scrub in all fragment reassemble
> 1 nat on rl0 inet from 192.168.1.0/24 to any ->
(rl0) round-robin
> 2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0)
round-robin
> 3 rdr on rl0 inet proto tcp from any to
xxx.xxx.xxx.xxx port = http ->
> 192.168.1.4 port 80
> table <spamd> persist
> table <spamd-white> persist
> table <spamd-mywhite> persist file
"/usr/local/etc/spamd/spamd-mywhite"
> 4 rdr pass inet proto tcp from <spamd-white:0>
to xxx.xxx.xxx.xxx port
> = smtp -> 127.0.0.1 port 25
> 5 rdr pass inet proto tcp from <spamd:0> to
xxx.xxx.xxx.xxx port =
> smtp -> 127.0.0.1 port 8025
> 6 rdr pass inet proto tcp from !
<spamd-mywhite:0> to xxx.xxx.xxx.xxx
> port = smtp -> 127.0.0.1 port 8025
> 7 block drop in log all
> 8 pass in log inet proto tcp from any to
xxx.xxx.xxx.xxx port = smtp
> flags S/SA synproxy state
> 9 pass out log inet proto tcp from xxx.xxx.xxx.xxx to
any port = smtp
> flags S/SA synproxy state
> 10 pass in log inet proto tcp from 192.168.1.0/24 to
192.168.1.25 port
> = smtp flags S/SA synproxy state
> 11 pass in log quick on xl0 inet proto tcp from any
to 192.168.1.25
> port = ssh flags S/SA synproxy state
> 12 block drop in log quick on rl0 inet from
127.0.0.0/8 to any
> 13 block drop in log quick on rl0 inet from
192.168.0.0/16 to any
> 14 block drop in log quick on rl0 inet from
172.16.0.0/12 to any
> 15 block drop in log quick on rl0 inet from
10.0.0.0/8 to any
> 16 block drop out log quick on rl0 inet from any to
127.0.0.0/8
> 17 block drop out log quick on rl0 inet from any to
192.168.0.0/16
> 18 block drop out log quick on rl0 inet from any to
172.16.0.0/12
> 19 block drop out log quick on rl0 inet from any to
10.0.0.0/8
> 20 block drop in log quick on ! xl0 inet from
192.168.1.0/24 to any
> 21 block drop in log quick inet from 192.168.1.25 to
any
> 22 pass in on xl0 inet from 192.168.1.0/24 to any
> 23 pass out log on xl0 inet from any to
192.168.1.0/24
> 24 pass out log quick on xl0 inet from any to
10.8.0.0/24
> 25 pass out on rl0 proto tcp all flags S/SA modulate
state
> 26 pass out on rl0 proto udp all keep state
> 27 pass out on rl0 proto icmp all keep state
> 28 pass in on rl0 inet proto tcp from any to
192.168.1.4 port = http
> flags S/SA synproxy state
> 29 pass in on xl0 inet proto tcp from any to
192.168.1.25 port = ssh
> keep state
> warning: macro 'icmp_types' not used
> mailfilter/usr/local/etc#
>
> mailfilter~# tcpdump -n -e -ttt -i pflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for
full protocol
> decode listening on pflog0, link-type PFLOG (OpenBSD
pflog file),
> capture size 96 bytes
> 000000 rule 16/0(match): pass out on xl0:
192.168.1.25.9102 >
> 192.168.1.17.54569: S 3943875170:3943875170(0) ack
2725840709 win 65535
> <mss 1460,nop,wscale 1,[|tcp]>
> 005364 rule 16/0(match): pass out on xl0:
192.168.1.25.9102 >
> 192.168.1.17.54569: P 1:63(62) ack 39 win 33304
<nop,nop,timestamp
> 16163436[|tcp]>
> 000465 rule 16/0(match): pass out on xl0:
192.168.1.25.9102 >
> 192.168.1.17.54569: P 63:80(17) ack 66 win 33304
<nop,nop,timestamp
> 16163436[|tcp]>
> 000387 rule 16/0(match): pass out on xl0:
192.168.1.25.9102 >
> 192.168.1.17.54569: P 80:107(27) ack 125 win 33304
<nop,nop,timestamp
> 16163436[|tcp]>
> 002063 rule 16/0(match): pass out on xl0:
192.168.1.25.9102 >
> 192.168.1.17.54569: P 107:125(18) ack 142 win 33304
<nop,nop,timestamp
> 16163439[|tcp]>
> 002249 rule 16/0(match): pass out on xl0:
192.168.1.25.9102 >
> 192.168.1.17.54569: P 125:203(78) ack 271 win 33304
<nop,nop,timestamp
> 16163441[|tcp]>
> 100679 rule 16/0(match): pass out on xl0:
192.168.1.25.9102 >
> 192.168.1.17.54569: . ack 289 win 33304
<nop,nop,timestamp
> 16163542[|tcp]> 000913 rule 16/0(match): pass out on
xl0:
> 192.168.1.25.9102 >
> 192.168.1.17.54569: P 203:223(20) ack 612 win 33304
<nop,nop,timestamp
> 16163542[|tcp]>
> 000396 rule 16/0(match): pass out on xl0:
192.168.1.25.9102 >
> 192.168.1.17.54569: P 223:241(18) ack 643 win 33304
<nop,nop,timestamp
> 16163543[|tcp]>
> 099682 rule 16/0(match): pass out on xl0:
192.168.1.25.9102 >
> 192.168.1.17.54569: . ack 699 win 33304
<nop,nop,timestamp
> 16163643[|tcp]>
>
> Why is the Bacula file daemon trying to contact the
Bacula storage
> daemon at port 54569 instead of port 9103? I'm guessing
that rule 23 is
> responsible for these log entries but am not sure as
these entries
> points to rule 16 as the matching rule. I am baffled by
this as these
> entries do not use 127.0.0.1 nor the rl0 interface.

See above.  I doubt this is a bug in pf.

> What should happen is that the Bacula director daemon
contacts the
> client's Bacula file daemon at port 9102 from port
9101. The file
> daemon on the client should contact the Bacula storage
daemon at port
> 9103 using port 9102 and executes the backup routine.
More details at:
>
> http://bacula.org/en/rel-manual/Dealing_w
ith_Firewalls.html#SECTION0047
>22000 000000000000
>
> The section suggests using port forwarding to redirect
packets to port
> 9103 but I have been unsuccessful. Please note that
there is no
> firewall between the client and the server- only that
the mailfilter
> client runs pf.
>
> My Bacula config on the server works fine as it can
back up LAN clients
> that are not using packet filter.

From the rules you quote above, I don't see why pf should
interfere with 
ports towards your internal net, but then again you might be
having other 
rules loaded than you think you are - the pflog is a strong
indication.

-- 
/"  Best regards,                      | mlaierfreebsd.org
 /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.l
ove2party.net/  | mlaierEFnet
/   ASCII Ribbon Campaign              | Against HTML Mail
and News
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )