Hi list,
I have a carped firewall cluster which is connected to the internet via a cable
interface,
and one dsl interface, which is used as the default route. The cable IP address
is static,
and the dsl IP address is dynamic. On the static IP address the traffic is
redirected into
the DMZ. The traffic from the Internal lan is sent out via the DSL interface,
these are just
the users that are surfing. There I do not have a problem, this works well. On
the cable
interface, I told my provider that the MAC address is the one of the carp IP
address. With
the rules below, it is possible to communicate from the DMZ to the Internet via
the Cable
Interface, due to the route-to statement. The route-to ($cable_if $cable_gate)
sends out my
packets with the MAC address of the carp device, so this works well, as I
expect. But when I
try to connect to the external $cable_mail_ip, with the second reply-to rule,
where I use
($cable_if $cable_gate) then the packets are going into the firewall, to the DMZ
host. The
DMZ host is answering, and the packets arrive again on the firewall, but then
they disappear.
I had a tcpdump running on all my interfaces, but they did not showed up
anywhere... When I
use the commented out reply-to rule ($cable_dev $cable_gate), and do not change
anything
else, then it is working as expected. I can telnet to the mail ports of the
mailer in the
DMZ. The only drawback is, that then the MAC address of the physical addresses
of the
cable_dev is used, but these are filtered at my cable ISP.
cable_dev="em0"
cable_if="carp0"
dmz_dev="em1"
dmz_if="carp1"
dsl_dev="vlan12"
dsl_if="carp13"
cable_mailer="10.10.10.10"
mail_ports="{25, 993}"
nat on $cable_dev from $dmz_net -> $cable_mail_ip
rdr on $cable_dev proto tcp to $cable_mail_ip port $mail_ports -> $cable_mailer
block in log all
pass out log all keep state
# allow communication from DMZ to Internet
pass in log on $dmz_dev route-to ($cable_if $cable_gate) proto udp from $dmz_net
to any port
{ 53, 123 } keep state
pass in log on $dmz_dev route-to ($cable_if $cable_gate) proto tcp from $dmz_net
to any port
{ 21, 25, 53, 80, 443 } modulate state flags S/SA
#pass in log on $cable_dev reply-to ($cable_dev $cable_gate) proto tcp from any
to
$cable_mail port $ogo_mail_ports modulate state flags S/SA
pass in log on $cable_dev reply-to ($cable_if $cable_gate) proto tcp from any to
$cable_mail
port $ogo_mail_ports modulate state flags S/SA
I am running OpenBSD 4.0, release. Sorry for cross posting, I am not that sure
whether it
might be a pf problem, or sth. openbsd related, therefore to the two mailing
lists. For me
this looks like a bug how reply-to statements are handled, but maybe I did sth.
wrong?
any comment appreciated.
kind regards
Sebastian
