[Fwbuilder-discussion] doubt on nat rules generation under openbsd
Brought to you by:
mikehorn
From: Giovanni L. <gio...@gm...> - 2010-02-16 13:20:15
|
Hi, our firewalls has 2 interfaces: one with some public ip and one interface with private network configuration. They are openbsd 4.6 and they are on cluster configuration with carp and pfsync. We use fw builder v4.0.0 build 2546. When I try to ping the hosts on internal network with the carp active firewall all goes fine but from the second firewall, with carp in backup state, icmp packets does not come back. I can't reach the second firewall via ssh from the internal net machines. After a lot of tcpdump i discovered this strange behavior: all the connection, even to the internal (private) net, are nat with the ip of the outside interface. In fact the rule generated from fwbuilder is the following: (i replace our nat address with x.y.z.q) table <tbl.r9> { 172.16.1.0/24 , 172.16.3.0/24 , 172.16.2.0/24 } nat proto {tcp udp icmp} from <tbl.r9> to any -> x.y.z.q I try to modify this rule by hand adding the interface group where the nat have to be done: nat on outside proto {tcp udp icmp} from <tbl.r9> to any -> x.y.z.q now all works fine. I try to add "on outside" with fwbuilder gui under NAT rules but it seems there is no way to to this with fwbuilder. I use this trick therefore: with the gui, before the nat rule for tbl.r9, I put a no nat rule for tbl.r9 networks: nat proto {tcp udp icmp} from ! <tbl.r9> to any -> x.y.z.q and this also work fine. Now the doubt is the following: Is this my configuration error? Is it possible to add the interface where the packet have to be "natted" on with fwbuilder gui? May you add this option on the gui? thanks in advance, giovanni -- Giovanni Laieta User ID: 1024D/24750553 created 2002-01-17 |