Date: Tue, 19 May 2009 19:44:34 +1000 From: Peter Jeremy <peter@vk2pj.dyndns.org> To: mehma sarja <mehmasarja@gmail.com> Cc: ysidhu@ucolick.org, freebsd-pf@freebsd.org Subject: Re: Testing new firewall to replace operational firewall Message-ID: <20090519094434.GA5943@server.vk2pj.dyndns.org> In-Reply-To: <ec5d34680905172320r60aef0a6r3b37d0ace7cdec94@mail.gmail.com> References: <ec5d34680905172320r60aef0a6r3b37d0ace7cdec94@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2009-May-17 23:20:40 -0700, mehma sarja <mehmasarja@gmail.com> wrote: >I want to test two pf firewalls in-line - an old openBSD (3.7 #50, i386) is >on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on the 'inside.' The >FreeBSD firewall does NOT have altq enabled. Here is the setup: I can't think of anything specific that would make this break. >I suspect "modulate state" may be the culprit. Here is what the manual say= s: >"modulate state - works only with TCP. PF will generate strong Initial >Sequence Numbers (ISNs) for packets matching this rule." So we have 2 >machines generating ISNs for the same connection. Could this be the proble= m? No. The inner firewall will generate "strong" ISNs and forward the packets. The outer firewall will then generate its own "strong" ISN and forward the packet to the internet. Neither firewall cares about the sequence numbers other than for tracking windows. >SECOND >Are the "flags S/SA" altq functions? No but I presume your testing took into account that inserting/removing the firewall would kill all existing TCP connections. My suggestion would be to do some repeat testing (hopefully you have a maintenance window or low-traffic period where you can afford a planned outage) with tcpdump running on inner, middle and outer interfaces and follow the packets through. Looking at how the packets are transformed will hopefully provide a clue as to what is not working the way you expect. --=20 Peter Jeremy --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAkoSf4IACgkQ/opHv/APuIcNQQCdHt8H65pzo9XlhsMwkK96j1U2 KtkAnA/gEVSej69d196jd81EW6y8uO6N =xvpw -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090519094434.GA5943>