Transparent OpenBSD firewall rules for Retrospect

Thu, 10 Jul 2008 17:36:49 -0700 

Hi OpenBSD PF experts,
I am managing a private network 192.168.1.0/24, 192.168.1.2 is my Retrospect backup server running on OS X 10.5 to back up the rest of computers. 


To add another layer to protect my backup server, I add an OpenBSD4.3 PF 
transparent firewall in front of 192.168.1.2, Since it is transparent, all 
my current private network setting keeps the same.


my /etc/bridgename.bridge0:

add sis0
add sis1
blocknoip sis0
blocknoip sis1
up

my /etc/pf.conf:

ext_if="sis0"
int_if="sis1"

localnet="192.168.1.0/24"

#only filter ext_if interface, so pass everything on int_if
pass in quick on $int_if all
pass out quick on $int_if all

#pass out everything by default on ext_if, block in everything on ext_if
pass out log on $ext_if all
block in log on $ext_if all

#Allow incoming Retrospect client tcp port
pass in log quick on $ext_if proto tcp from any to $localnet \
 port { 497 } modulate state

pass in log quick on $ext_if proto udp from any to $localnet \
 port { 497 } modulate state

Now the problem:


It seems random problem that  Retrospect server could not locate the 
Retrospect client computer. I googled, Retrospect 
server is sending udp packet to IP Multicast address 224.1.0.38 to locate 
the client computer listening on port 497, here is the tcpdump I ran on 
OpenBSD to catch the udp traffic when Retrospect has problem contacting 
client:


# tcpdump -n -i sis0 port 497
tcpdump: listening on sis0, link-type EN10MB

13:45:34.032842 192.168.1.2.49816 > 224.1.0.38.497: udp 196 [ttl 1]
13:45:34.033865 192.168.1.3.497 > 192.168.1.2.49816: udp 196
13:45:36.047369 192.168.1.2.49817 > 224.1.0.38.497: udp 196 [ttl 1]
13:45:36.048391 192.168.1.3.497 > 192.168.1.2.49817: udp 196
13:45:38.064087 192.168.1.2.49818 > 224.1.0.38.497: udp 196 [ttl 1]
13:45:38.065113 192.168.1.3.497 > 192.168.1.2.49818: udp 196


The server ip 192.168.1.2 does locate the client 192.168.1.3, but 
Retrospect still complains that the client is not visable from network.



If I change firewall rules to "pass in log on $ext_if all" and load it 
immediately, The retrospect server would find the client immediately. I am 
lost on how to properly configure PF rules to enable Retrospect server 
locate the client reliably.
















    











					Reply via email to