OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Cedric Berger (cedric_at_wireless-networks.com)
Date: Wed Oct 02 2002 - 03:35:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This is a routing problem, and a PF limitation.
    Here is how you can do it, but you would need 2 firewalls for that.

            [ bridge1 ] [ bridge2 ]
                 | |
                 | |
                 | |
             rl1 | | rl1
           [ firewall1 ] [ firewall2 ]
             rl0 \ / rl0
                  \ /
                   \ /
                    \ /
                      [switch]
                         |

                         |
                    { SERVERS }

    Ok, what is really important on this settings it that each
    of the firewall has its default route different, pointing
    upstream on the internet.

    Now here comes the trick: you need to put the following
    rules on each firewall:

    FW1:

    rdr on rl1 proto tcp from any to my_public_ip1/32 port 80 -> 192.168.4.3 port 80
    rdr on rl1 proto tcp from any to my_public_ip1/32 port 443 -> 192.168.4.3 port 443
    rdr on rl1 proto tcp from any to my_public_ip1/32 port 25 -> 192.168.4.3 port 25
    nat on rl0 froto tcp from !rl0 to 192.168.4.3 -> rl0

    FW2:

    rdr on rl1 proto tcp from any to my_public_ip2/32 port 80 -> 192.168.4.3 port 80
    rdr on rl1 proto tcp from any to my_public_ip2/32 port 443 -> 192.168.4.3 port 443
    rdr on rl1 proto tcp from any to my_public_ip2/32 port 25 -> 192.168.4.3 port 25
    nat on rl0 froto tcp from !rl0 to 192.168.4.3 -> rl0

    The "trick" here is the NAT lines. this is NOT for outgoing traffic. this NAT
    line is for incoming traffic. it will create a second state on the firewall,
    first state is the redirect, and second state will change the *source* address
    of incoming packets to be the internal IP of the firewall. If you do that, the
    servers will believe that all connections comes from the internal addresss of
    one of the firewall, and will be able to route it back to the correct firewall.
    This will create true symetrical routing (that was the problem in your first
    setting).

    I've tested that, it works perfectly with 3.1. There is only one problem,
    you loose on the server the ability to know the real source address of
    your connections. that might or might not be a problem for you. usually,
    this info is just used for logging, and logging can be done on the firewall
    as well.

    Now of course, that would be great to have an option in PF to remember from
    which interface a state originate, and having PF send it back to the same IF!

    Hope that helps,
    Cedric

    Borja Lopez - wrote:

    >ok, my first post to tech, let me explain:
    >
    >I have some servers behind an obsd 3.1 -stable firewall, which have 3 ethernets. One of these have a private ip address (192.168.4.1) and is connected to a 10/100Mb unmanaged switch. To that switch are connected my servers, that's the "inside" connection of the firewall.
    >In the "outside" zone we have the other 2 ethernets of the firewall, with a different public ip address each interface. These ones are connected to a bridge (each one to a bridge), the 2 bridges connects to my ISP routers. See it in ASCII:
    >
    >
    > [ bridge1 ] [ bridge2 ]
    > \ /
    > \ /
    > \ /
    > \ /
    > \ /
    > rl1 \ / rl2
    > [ firewall ]
    > | rl0
    > |
    > |
    > |
    > [switch]
    > |
    > |
    > |
    > { SERVERS }
    >
    >
    >Well, my problem is if i need some strange configs in the firewall's routing tables, i mean, i have set up Pf/nat with some redirects.
    >
    >first i do some nat on the internal (SERVERS) network, but i don't think that must be needed, because i don't have users behind the firewall, only servers listening for connections, so only do some redirects would be fine. could anyone verify that?
    >See my nat.conf:
    >
    ># nat on one of the outside interfaces
    >nat on rl2 from 192.168.4.0/24 to any -> my_public_ip # i don't think that rule is needed... ???
    >
    ># redirects
    >rdr on rl1 proto tcp from any to my_public_ip1/32 port 80 -> 192.168.4.3 port 80
    >rdr on rl1 proto tcp from any to my_public_ip1/32 port 443 -> 192.168.4.3 port 443
    >rdr on rl1 proto tcp from any to my_public_ip1/32 port 25 -> 192.168.4.3 port 25
    >
    >rdr on rl2 proto tcp from any to my_public_ip2/32 port 80 -> 192.168.4.3 port 80
    >rdr on rl2 proto tcp from any to my_public_ip2/32 port 443 -> 192.168.4.3 port 443
    >rdr on rl2 proto tcp from any to my_public_ip2/32 port 25 -> 192.168.4.3 port 25
    >
    >With the apropiate dns round robin and such confs, anyone trying to reach my web server from whatever of that two external ip's, would be capable of it, but i only could connect trough the my_public_ip2. Attemps to connect via the first external ip even get logged into my firewall logs (attemps such as nmap and so on)
    >
    >Any tip/idea to solve that problem or to improve performance in such config would be appreciate.
    >
    >Thnx, Wu.