Date: Mon, 24 Feb 2014 19:59:55 -0500 From: "David DeSimone" <ddesimone@verio.net> To: "Francisco Reyes" <lists@natserv.net> Cc: freebsd-net@freebsd.org Subject: RE: FreeBSD behind a firewall Message-ID: <CAABACD8BCAE7B4B8A7906EEDC9DEBC501FD52F2@IAD-WPRD-XCHB01.corp.verio.net> In-Reply-To: <5308133F.7050504@natserv.net> References: <5308133F.7050504@natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a classic routing policy problem. Unless the Vyatta firewall = applies some sort of Source NAT to incoming connections, the replies to = those connections will follow your default route, leave via an interface = that does not pass them back through the firewall. One method of inserting policy-based routing is to use pf, like so: FW_IF =3D xn2 # Firewall-connected interface FW_IP =3D 192.168.3.1 # Firewall's IP pass in on $FW_IF reply-to ( $FW_IF $FW_IP ) proto tcp from any = to any port { http, https } This will build state entries that force replies to go back through the = interface they came in. You might need to add extra logic to match traffic that comes in via xn2 = but didn't actually arrive from the firewall, if that's a possible = traffic pattern for you. -----Original Message----- From: owner-freebsd-net@freebsd.org = [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Francisco Reyes Sent: Friday, February 21, 2014 9:02 PM To: freebsd-net@freebsd.org Subject: FreeBSD behind a firewall Setup Internet --> Vyatta firewall --> FreeBSD Trying to have the FreeBSD machine listen on http and https on local=20 network and have the Vyatta firewall forward the traffic from the=20 external connections. I have the Vyatta already configured to send to FreeBSD, but it seems=20 the packets at the FreeBSD machine are not going back to the firewall.. The FreeBSD machine has 3 interfaces xn0 public - will have ssh open xn1 internal - visible in entire data center (Rackspace VM) xn2 internal - private net on 192.168.3.0 I have the Vyatta firewall sending traffic to xn2 and I am able to see=20 it with TCPdump I tried setting a static route for all of 192.168.3.0 to go through the=20 Vyatta firewall, but that did not seem to help. Output of netstat -r Internet: Destination Gateway Flags Refs Use Netif = Expire default 162.209.99.1 UGS 0 3542 xn0 10.176.0.0/18 link#5 U 0 0 xn1 =3D> 10.176.0.0/12 10.176.0.1 UGS 0 0 xn1 testvm link#5 UHS 0 0 lo0 localhost link#3 UH 0 0 lo0 162.209.99.0 link#4 U 0 0 xn0 testvm link#4 UHS 0 0 lo0 192.168.3.0 link#6 U 0 0 xn2 192.168.3.1 link#6 UHS 0 0 lo0 The FreeBSD machine is 192.168.3.1, the Vyatta firewall is 192.168.3.2 Relevant parts of /etc/rc.conf defaultrouter=3D"162.209.99.1" static_routes=3D"lan0 lan1 lan2" route_lan0=3D"-net 10.176.0.0 -netmask 255.240.0.0 10.176.0.1" route_lan1=3D"-net 10.208.0.0 -netmask 255.240.0.0 10.176.0.1" route_lan1=3D"-net 192.168.3.0 -netmask 255.255.255.0 192.168.3.2" Any pointers on how I can get the traffic to go back to the Vyatta = firewall? Does the firewall needs to be the gateway for the VM? The ideal would be to keep ssh outside as to not depend on the firewall=20 and http and https to go throught he firewall. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" This email message is intended for the use of the person to whom it has = been sent, and may contain information that is confidential or legally = protected. If you are not the intended recipient or have received this = message in error, you are not authorized to copy, distribute, or = otherwise use this message or its attachments. Please notify the sender = immediately by return e-mail and permanently delete this message and any = attachments. Verio Inc. makes no warranty that this email is error or = virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAABACD8BCAE7B4B8A7906EEDC9DEBC501FD52F2>