[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3.0 current, pf and browsing

To: John Gould <johng@powinv.co.uk>
Subject: Re: 3.0 current, pf and browsing
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Fri, 22 Feb 2002 20:03:42 +0100
Cc: misc@openbsd.org
Content-Disposition: inline
References: <20020222161247.C24542@insomnia.benzedrine.cx> <Pine.LNX.4.20.0202221536490.16237-100000@skeletor.powinv.co.uk>
User-Agent: Mutt/1.2.5.1i

On Fri, Feb 22, 2002 at 04:01:24PM +0000, John Gould wrote:

>           I'll try to make this a little clearer. The firewall box is
> not doing NAT on the packets that are going to the corporate network, they
> arrive at the OpenBSD box on the internal NIC and are sent back out on the
> internal network to the Nortel II400 box. The firewall in this case is
> just used to re-direct the packets to the II400 and across the VPN to the
> Contivity in the USA. Something is happening to the packets that are going
> into and being sent back out of this interface. I'll try and draw the
> configuration for you. I'm using 3.0-release.

I have never done anything similar, it's quite interesting that it works
at all :)

How do you achieve that the firewall sends packets back out through the
internal interface when they arrive through the same interface? With a
routing table entry, or pf rdr? Are you sure they actually go back out
through the internal interface, and don't reach the II400 through the
external interface? Can you verify that with tcpdump?

Can you define 'browsing directories'? I assume you mean SMB shares. You
can 'mount' them, but not ls? Can you try smbclient from a local
workstation, try to connect and ls? Or do you mean you don't see foreign
machine's shares in 'Network neighbourhood' or similar?

Can you try to reach machines of your VPN peer network with ICMP (ping),
TCP (telnet) and UDP (dig or nc -u)? Do those packets pass correctly, as
you described, from the firewall to the II400, encrypted over the
internet to the peer? Would you notice if they'd go unencrypted of the
internet (like the peer blocks non-encrypted packets)?

I doubt your setup will forward broadcasts to the VPN peer network, does
'browsing directories' require broadcasts to work?

What nat.conf and pf.conf do you have on the firewall? If you add 'log'
to all blocking rules, do you see any relevant packets blocked in
/var/pflog?

The firewall never sees an IPsec packet, right? Everything is plain
packets before it goes through the II400 and after it comes in from
there? Or do the workstation encrypt some packets, too?

More questions than answers, but this is a rather unusual and complex
setup for me :)

Daniel

Follow-Ups:
- Re: 3.0 current, pf and browsing
  - From: John Gould <johng@powinv.co.uk>

References:
- Re: 3.0 current, pf and browsing
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
- Re: 3.0 current, pf and browsing
  - From: John Gould <johng@powinv.co.uk>

Prev by Date: ffsless openbsd (was: XFS from SGI and OpenBSD)
Next by Date: probably OT hardware issue - adaptec and exabyte
Prev by thread: Re: 3.0 current, pf and browsing
Next by thread: Re: 3.0 current, pf and browsing
Index(es):
- Date
- Thread