From owner-freebsd-net@FreeBSD.ORG Tue Feb 25 01:00:04 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 61F634AE for ; Tue, 25 Feb 2014 01:00:04 +0000 (UTC) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 0C6E81B32 for ; Tue, 25 Feb 2014 01:00:03 +0000 (UTC) Received: from iad-wprd-xchw02.corp.verio.net (iad-wprd-xchw02.corp.verio.net [198.87.7.165]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id D8C611FF006A; Mon, 24 Feb 2014 19:59:56 -0500 (EST) Received: from IAD-WPRD-XCHB01.corp.verio.net ([198.87.7.137]) by iad-wprd-xchw02.corp.verio.net with Microsoft SMTPSVC(6.0.3790.4675); Mon, 24 Feb 2014 19:59:56 -0500 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 Content-Class: urn:content-classes:message Importance: normal Priority: normal MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Subject: RE: FreeBSD behind a firewall Date: Mon, 24 Feb 2014 19:59:55 -0500 Message-ID: In-Reply-To: <5308133F.7050504@natserv.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD behind a firewall thread-index: Ac8vepmrgtZ9VCzRSUuItUCxTdtk5QCSGJ8w References: <5308133F.7050504@natserv.net> From: "David DeSimone" To: "Francisco Reyes" X-OriginalArrivalTime: 25 Feb 2014 00:59:56.0582 (UTC) FILETIME=[E665DC60:01CF31C4] Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Feb 2014 01:00:04 -0000 This is a classic routing policy problem. Unless the Vyatta firewall = applies some sort of Source NAT to incoming connections, the replies to = those connections will follow your default route, leave via an interface = that does not pass them back through the firewall. One method of inserting policy-based routing is to use pf, like so: FW_IF =3D xn2 # Firewall-connected interface FW_IP =3D 192.168.3.1 # Firewall's IP pass in on $FW_IF reply-to ( $FW_IF $FW_IP ) proto tcp from any = to any port { http, https } This will build state entries that force replies to go back through the = interface they came in. You might need to add extra logic to match traffic that comes in via xn2 = but didn't actually arrive from the firewall, if that's a possible = traffic pattern for you. -----Original Message----- From: owner-freebsd-net@freebsd.org = [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Francisco Reyes Sent: Friday, February 21, 2014 9:02 PM To: freebsd-net@freebsd.org Subject: FreeBSD behind a firewall Setup Internet --> Vyatta firewall --> FreeBSD Trying to have the FreeBSD machine listen on http and https on local=20 network and have the Vyatta firewall forward the traffic from the=20 external connections. I have the Vyatta already configured to send to FreeBSD, but it seems=20 the packets at the FreeBSD machine are not going back to the firewall.. The FreeBSD machine has 3 interfaces xn0 public - will have ssh open xn1 internal - visible in entire data center (Rackspace VM) xn2 internal - private net on 192.168.3.0 I have the Vyatta firewall sending traffic to xn2 and I am able to see=20 it with TCPdump I tried setting a static route for all of 192.168.3.0 to go through the=20 Vyatta firewall, but that did not seem to help. Output of netstat -r Internet: Destination Gateway Flags Refs Use Netif = Expire default 162.209.99.1 UGS 0 3542 xn0 10.176.0.0/18 link#5 U 0 0 xn1 =3D> 10.176.0.0/12 10.176.0.1 UGS 0 0 xn1 testvm link#5 UHS 0 0 lo0 localhost link#3 UH 0 0 lo0 162.209.99.0 link#4 U 0 0 xn0 testvm link#4 UHS 0 0 lo0 192.168.3.0 link#6 U 0 0 xn2 192.168.3.1 link#6 UHS 0 0 lo0 The FreeBSD machine is 192.168.3.1, the Vyatta firewall is 192.168.3.2 Relevant parts of /etc/rc.conf defaultrouter=3D"162.209.99.1" static_routes=3D"lan0 lan1 lan2" route_lan0=3D"-net 10.176.0.0 -netmask 255.240.0.0 10.176.0.1" route_lan1=3D"-net 10.208.0.0 -netmask 255.240.0.0 10.176.0.1" route_lan1=3D"-net 192.168.3.0 -netmask 255.255.255.0 192.168.3.2" Any pointers on how I can get the traffic to go back to the Vyatta = firewall? Does the firewall needs to be the gateway for the VM? The ideal would be to keep ssh outside as to not depend on the firewall=20 and http and https to go throught he firewall. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" This email message is intended for the use of the person to whom it has = been sent, and may contain information that is confidential or legally = protected. If you are not the intended recipient or have received this = message in error, you are not authorized to copy, distribute, or = otherwise use this message or its attachments. Please notify the sender = immediately by return e-mail and permanently delete this message and any = attachments. Verio Inc. makes no warranty that this email is error or = virus free. Thank you.