FreeBSD behind a firewall
Francisco Reyes
lists at natserv.net
Sat Feb 22 03:02:26 UTC 2014
Setup
Internet --> Vyatta firewall --> FreeBSD
Trying to have the FreeBSD machine listen on http and https on local
network and have the Vyatta firewall forward the traffic from the
external connections.
I have the Vyatta already configured to send to FreeBSD, but it seems
the packets at the FreeBSD machine are not going back to the firewall..
The FreeBSD machine has 3 interfaces
xn0 public - will have ssh open
xn1 internal - visible in entire data center (Rackspace VM)
xn2 internal - private net on 192.168.3.0
I have the Vyatta firewall sending traffic to xn2 and I am able to see
it with TCPdump
I tried setting a static route for all of 192.168.3.0 to go through the
Vyatta firewall, but that did not seem to help.
Output of netstat -r
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 162.209.99.1 UGS 0 3542 xn0
10.176.0.0/18 link#5 U 0 0 xn1 =>
10.176.0.0/12 10.176.0.1 UGS 0 0 xn1
testvm link#5 UHS 0 0 lo0
localhost link#3 UH 0 0 lo0
162.209.99.0 link#4 U 0 0 xn0
testvm link#4 UHS 0 0 lo0
192.168.3.0 link#6 U 0 0 xn2
192.168.3.1 link#6 UHS 0 0 lo0
The FreeBSD machine is 192.168.3.1, the Vyatta firewall is 192.168.3.2
Relevant parts of /etc/rc.conf
defaultrouter="162.209.99.1"
static_routes="lan0 lan1 lan2"
route_lan0="-net 10.176.0.0 -netmask 255.240.0.0 10.176.0.1"
route_lan1="-net 10.208.0.0 -netmask 255.240.0.0 10.176.0.1"
route_lan1="-net 192.168.3.0 -netmask 255.255.255.0 192.168.3.2"
Any pointers on how I can get the traffic to go back to the Vyatta firewall?
Does the firewall needs to be the gateway for the VM?
The ideal would be to keep ssh outside as to not depend on the firewall
and http and https to go throught he firewall.
More information about the freebsd-net
mailing list