On Fri, Mar 03, 2006 at 06:14:00PM +0100, oliver simon wrote:
> Still no success ...
>
> On the next firewall, tcpdump only shows the private IP-Address from the
> bsd-machine, trying to connect the outer world ...
>
> 17:51:38.109862 10.50.0.10.47888 > 83.146.78.121.ssh: S
> 3774377327:3774377327(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 0,nop,nop,timestamp 3223610022 0> (DF)
>
> Thats, where we "want" to see one of the official IP-Adresses from the
> BSD-machine. Thats why we need that source-routing ...
As Alexander pointed out, doing that is a perimeter device's job.
> Maybe we have to stay with linux there, its getting much too expensive
> to put hours and hours of testing and trying in that project ....
Feel free to switch back, if you think Linux is better suited to your
needs. Nobody is forcing you to use OpenBSD...
> Is there no possibility to just tell that bsd-thing, to connect with a
> specific IP-Address, when connecting for example 193.2.4.2 ???
>
> We just want to tell the bsd-machine, to use f.e. hme1_1 (hme1
> 217.3.3.3; hme1_1 217.3.3.4) when a user ON THE machine wants to ssh to
> 199.9.9.9, and use hme0 (10.50.0.10) for the normal traffic.
>
> We have to do that, because this machine is a "stargate" for us, where
> f.e. some developers and supporters "hop" to our customers networks, and
> the customers only wanted to open their firewalls for one specific IP.
> This IP(s) shall all move to that bsd-machine.
>
> We connect to the private IP on the bsd, and all other (gateway-IPs) in
> the dmz are private...
>
> Any help is appreciated ...
>
> Gereetings, ...olli
Well, you could probably get away with this if you add nat rules to
pf.conf:
nat on $int_if from ($int_if) -> $(ext_if:0)
This needs to be below the macros (defining $int_if, $ext_if) and before
any pass/block rules. This has not been tested, as I'm logged in via SSH
and not overly fond of locking myself out if I screw up.
Joachim
