Date: Mon, 24 Feb 2014 19:59:55 -0500 From: "David DeSimone" <ddesimone@verio.net> To: "Francisco Reyes" <lists@natserv.net> Cc: freebsd-net@freebsd.org Subject: RE: FreeBSD behind a firewall Message-ID: <CAABACD8BCAE7B4B8A7906EEDC9DEBC501FD52F2@IAD-WPRD-XCHB01.corp.verio.net> In-Reply-To: <5308133F.7050504@natserv.net> References: <5308133F.7050504@natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a classic routing policy problem. Unless the Vyatta firewall =
applies some sort of Source NAT to incoming connections, the replies to =
those connections will follow your default route, leave via an interface =
that does not pass them back through the firewall.
One method of inserting policy-based routing is to use pf, like so:
FW_IF =3D xn2 # Firewall-connected interface
FW_IP =3D 192.168.3.1 # Firewall's IP
pass in on $FW_IF reply-to ( $FW_IF $FW_IP ) proto tcp from any =
to any port { http, https }
This will build state entries that force replies to go back through the =
interface they came in.
You might need to add extra logic to match traffic that comes in via xn2 =
but didn't actually arrive from the firewall, if that's a possible =
traffic pattern for you.
-----Original Message-----
From: owner-freebsd-net@freebsd.org =
[mailto:owner-freebsd-net@freebsd.org] On Behalf Of Francisco Reyes
Sent: Friday, February 21, 2014 9:02 PM
To: freebsd-net@freebsd.org
Subject: FreeBSD behind a firewall
Setup
Internet --> Vyatta firewall --> FreeBSD
Trying to have the FreeBSD machine listen on http and https on local=20
network and have the Vyatta firewall forward the traffic from the=20
external connections.
I have the Vyatta already configured to send to FreeBSD, but it seems=20
the packets at the FreeBSD machine are not going back to the firewall..
The FreeBSD machine has 3 interfaces
xn0 public - will have ssh open
xn1 internal - visible in entire data center (Rackspace VM)
xn2 internal - private net on 192.168.3.0
I have the Vyatta firewall sending traffic to xn2 and I am able to see=20
it with TCPdump
I tried setting a static route for all of 192.168.3.0 to go through the=20
Vyatta firewall, but that did not seem to help.
Output of netstat -r
Internet:
Destination Gateway Flags Refs Use Netif =
Expire
default 162.209.99.1 UGS 0 3542 xn0
10.176.0.0/18 link#5 U 0 0 xn1 =3D>
10.176.0.0/12 10.176.0.1 UGS 0 0 xn1
testvm link#5 UHS 0 0 lo0
localhost link#3 UH 0 0 lo0
162.209.99.0 link#4 U 0 0 xn0
testvm link#4 UHS 0 0 lo0
192.168.3.0 link#6 U 0 0 xn2
192.168.3.1 link#6 UHS 0 0 lo0
The FreeBSD machine is 192.168.3.1, the Vyatta firewall is 192.168.3.2
Relevant parts of /etc/rc.conf
defaultrouter=3D"162.209.99.1"
static_routes=3D"lan0 lan1 lan2"
route_lan0=3D"-net 10.176.0.0 -netmask 255.240.0.0 10.176.0.1"
route_lan1=3D"-net 10.208.0.0 -netmask 255.240.0.0 10.176.0.1"
route_lan1=3D"-net 192.168.3.0 -netmask 255.255.255.0 192.168.3.2"
Any pointers on how I can get the traffic to go back to the Vyatta =
firewall?
Does the firewall needs to be the gateway for the VM?
The ideal would be to keep ssh outside as to not depend on the firewall=20
and http and https to go throught he firewall.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
This email message is intended for the use of the person to whom it has =
been sent, and may contain information that is confidential or legally =
protected. If you are not the intended recipient or have received this =
message in error, you are not authorized to copy, distribute, or =
otherwise use this message or its attachments. Please notify the sender =
immediately by return e-mail and permanently delete this message and any =
attachments. Verio Inc. makes no warranty that this email is error or =
virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAABACD8BCAE7B4B8A7906EEDC9DEBC501FD52F2>