On Wed, 02 Oct 2002 10:35:08 +0200
Cedric Berger <cedricwireless-networks.com> wrote:

> This is a routing problem, and a PF limitation.
> Here is how you can do it, but you would need 2 firewalls for that.
>
>
> [ bridge1 ] [ bridge2 ]
> | |
> | |
> | |
> rl1 | | rl1
> [ firewall1 ] [ firewall2 ]
> rl0 \ / rl0
> \ /
> \ /
> \ /
> [switch]
> |
>
> |
> { SERVERS }
>
>
> Ok, what is really important on this settings it that each
> of the firewall has its default route different, pointing
> upstream on the internet.
>
> Now here comes the trick: you need to put the following
> rules on each firewall:
>
> FW1:
>
> rdr on rl1 proto tcp from any to my_public_ip1/32 port 80 -> 192.168.4.3 port 80
> rdr on rl1 proto tcp from any to my_public_ip1/32 port 443 -> 192.168.4.3 port 443
> rdr on rl1 proto tcp from any to my_public_ip1/32 port 25 -> 192.168.4.3 port 25
> nat on rl0 froto tcp from !rl0 to 192.168.4.3 -> rl0
>
> FW2:
>
> rdr on rl1 proto tcp from any to my_public_ip2/32 port 80 -> 192.168.4.3 port 80
> rdr on rl1 proto tcp from any to my_public_ip2/32 port 443 -> 192.168.4.3 port 443
> rdr on rl1 proto tcp from any to my_public_ip2/32 port 25 -> 192.168.4.3 port 25
> nat on rl0 froto tcp from !rl0 to 192.168.4.3 -> rl0
>
>
> The "trick" here is the NAT lines. this is NOT for outgoing traffic. this NAT
> line is for incoming traffic. it will create a second state on the firewall,
> first state is the redirect, and second state will change the *source* address
> of incoming packets to be the internal IP of the firewall. If you do that, the
> servers will believe that all connections comes from the internal addresss of
> one of the firewall, and will be able to route it back to the correct firewall.
> This will create true symetrical routing (that was the problem in your first
> setting).
>
> I've tested that, it works perfectly with 3.1. There is only one problem,
> you loose on the server the ability to know the real source address of
> your connections. that might or might not be a problem for you. usually,
> this info is just used for logging, and logging can be done on the firewall
> as well.

OK, i have done the config with two firewalls, one trick: it works perfectly
if you only do the nat trick you said in one firewall, so, you only lose 50%
of the apache logs.
That's my main problem, the logging facility. Apache logs are almost perfect,
and i want to know every ip that connects to my mail server.
Thinking about that, i only have an idea: to do a log all on both firewalls...
but it could be a high load for them (both are powerful AMD Athlon 1.2Ghz and 128-256Mb RAM).
How do you do your logs? any tip?

Thnx for your help man

>
> Now of course, that would be great to have an option in PF to remember from
> which interface a state originate, and having PF send it back to the same IF!
>
> Hope that helps,
> Cedric
>
>
>
>
>
>
> Borja Lopez - wrote:
>
> >ok, my first post to tech, let me explain:
> >
> >I have some servers behind an obsd 3.1 -stable firewall, which have 3 ethernets. One of these have a private ip address (192.168.4.1) and is connected to a 10/100Mb unmanaged switch. To that switch are connected my servers, that's the "inside" connection of the firewall.
> >In the "outside" zone we have the other 2 ethernets of the firewall, with a different public ip address each interface. These ones are connected to a bridge (each one to a bridge), the 2 bridges connects to my ISP routers. See it in ASCII:
> >
> >
> > [ bridge1 ] [ bridge2 ]
> > \ /
> > \ /
> > \ /
> > \ /
> > \ /
> > rl1 \ / rl2
> > [ firewall ]
> > | rl0
> > |
> > |
> > |
> > [switch]
> > |
> > |
> > |
> > { SERVERS }
> >
> >
> >Well, my problem is if i need some strange configs in the firewall's routing tables, i mean, i have set up Pf/nat with some redirects.
> >
> >first i do some nat on the internal (SERVERS) network, but i don't think that must be needed, because i don't have users behind the firewall, only servers listening for connections, so only do some redirects would be fine. could anyone verify that?
> >See my nat.conf:
> >
> ># nat on one of the outside interfaces
> >nat on rl2 from 192.168.4.0/24 to any -> my_public_ip # i don't think that rule is needed... ???
> >
> ># redirects
> >rdr on rl1 proto tcp from any to my_public_ip1/32 port 80 -> 192.168.4.3 port 80
> >rdr on rl1 proto tcp from any to my_public_ip1/32 port 443 -> 192.168.4.3 port 443
> >rdr on rl1 proto tcp from any to my_public_ip1/32 port 25 -> 192.168.4.3 port 25
> >
> >rdr on rl2 proto tcp from any to my_public_ip2/32 port 80 -> 192.168.4.3 port 80
> >rdr on rl2 proto tcp from any to my_public_ip2/32 port 443 -> 192.168.4.3 port 443
> >rdr on rl2 proto tcp from any to my_public_ip2/32 port 25 -> 192.168.4.3 port 25
> >
> >With the apropiate dns round robin and such confs, anyone trying to reach my web server from whatever of that two external ip's, would be capable of it, but i only could connect trough the my_public_ip2. Attemps to connect via the first external ip even get logged into my firewall logs (attemps such as nmap and so on)
> >
> >Any tip/idea to solve that problem or to improve performance in such config would be appreciate.
> >
> >Thnx, Wu.

-- 
Fco. de Borja Lopez Rio <admininterlogical.com>
Administrador de Sistemas y Redes - IDS

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]