FreeBSD behind a firewall
David DeSimone
ddesimone at verio.net
Tue Feb 25 01:00:04 UTC 2014
This is a classic routing policy problem. Unless the Vyatta firewall applies some sort of Source NAT to incoming connections, the replies to those connections will follow your default route, leave via an interface that does not pass them back through the firewall.
One method of inserting policy-based routing is to use pf, like so:
FW_IF = xn2 # Firewall-connected interface
FW_IP = 192.168.3.1 # Firewall's IP
pass in on $FW_IF reply-to ( $FW_IF $FW_IP ) proto tcp from any to any port { http, https }
This will build state entries that force replies to go back through the interface they came in.
You might need to add extra logic to match traffic that comes in via xn2 but didn't actually arrive from the firewall, if that's a possible traffic pattern for you.
-----Original Message-----
From: owner-freebsd-net at freebsd.org [mailto:owner-freebsd-net at freebsd.org] On Behalf Of Francisco Reyes
Sent: Friday, February 21, 2014 9:02 PM
To: freebsd-net at freebsd.org
Subject: FreeBSD behind a firewall
Setup
Internet --> Vyatta firewall --> FreeBSD
Trying to have the FreeBSD machine listen on http and https on local
network and have the Vyatta firewall forward the traffic from the
external connections.
I have the Vyatta already configured to send to FreeBSD, but it seems
the packets at the FreeBSD machine are not going back to the firewall..
The FreeBSD machine has 3 interfaces
xn0 public - will have ssh open
xn1 internal - visible in entire data center (Rackspace VM)
xn2 internal - private net on 192.168.3.0
I have the Vyatta firewall sending traffic to xn2 and I am able to see
it with TCPdump
I tried setting a static route for all of 192.168.3.0 to go through the
Vyatta firewall, but that did not seem to help.
Output of netstat -r
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 162.209.99.1 UGS 0 3542 xn0
10.176.0.0/18 link#5 U 0 0 xn1 =>
10.176.0.0/12 10.176.0.1 UGS 0 0 xn1
testvm link#5 UHS 0 0 lo0
localhost link#3 UH 0 0 lo0
162.209.99.0 link#4 U 0 0 xn0
testvm link#4 UHS 0 0 lo0
192.168.3.0 link#6 U 0 0 xn2
192.168.3.1 link#6 UHS 0 0 lo0
The FreeBSD machine is 192.168.3.1, the Vyatta firewall is 192.168.3.2
Relevant parts of /etc/rc.conf
defaultrouter="162.209.99.1"
static_routes="lan0 lan1 lan2"
route_lan0="-net 10.176.0.0 -netmask 255.240.0.0 10.176.0.1"
route_lan1="-net 10.208.0.0 -netmask 255.240.0.0 10.176.0.1"
route_lan1="-net 192.168.3.0 -netmask 255.255.255.0 192.168.3.2"
Any pointers on how I can get the traffic to go back to the Vyatta firewall?
Does the firewall needs to be the gateway for the VM?
The ideal would be to keep ssh outside as to not depend on the firewall
and http and https to go throught he firewall.
_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
More information about the freebsd-net
mailing list