[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

strange bridge - pf situation theory question

To: <misc@openbsd.org>
Subject: strange bridge - pf situation theory question
From: "Steve Jupp" <steve.jupp@shmeg.com>
Date: Wed, 1 Oct 2003 11:15:08 +0100

morning and evening all,

I have been playing / breaking 3.3 for a couple of months now, with the
enthusiasm of my childhood Speccy 48K hacks.  For the following question, I
have scoured the internet and both the new and old versions of pf faq.  Also
the purchase of obsd for the paranoid (suit me sir), still brought no luck.  I
must say though that every other question I could have asked is out there in
some great faq's etc.

I currently have the following set-up running behind a routed ADSL connection
with /28 block of addresses.

internet
   I
router
   I
bridge0 (IP)
   I
obsd--bridge0 (no IP)--dmz
   I
private network

If you want addresses and pf.conf etc. please ask but this is more of a theory
question.
My external interface on the obsd box has a public IP bridged to the interface
on the dmz (all servers assigned public addresses) side, with no IP.  The
private net runs out through NAT across the external interface.

My question is along the following lines.  With the bridge set up between the
dmz and external interface, i get some strange behaviour from pf.  Basically,
if i wish to connect (i know it sounds mental but it's hacking about that i
love) to the obsd wall (ssh for instance) from a box in the dmz, i must allow
the packets in through the dmz interface, but then in again through the
external interface.  In a reciprocate manner, any packets to be passed to the
dmz from the obsd box must be passed out of the external interface before
passing in on the dmz interface.  Now, I believe that this is a bridge issue
(not problem/bug) that i am not totally understanding.  My thoughts are that
the interfaces should accept inbound through pf and then dump the packets into
a stack from where all interfaces take a peek????  This situation points to
the bridge being linked externally through the interfaces, why/how?  I love
bogging myself down in technical stuff, so any links would be welcome.

This entire bridge issue also makes my NAT to the dmz from my private network
difficult as I need to pass out all required ports and protocols across the
external interface to reach the dmz from my nat'd network.  Running remote
admin util's, i would rather the ports do not get opened outbound.

I know i could subnet the /28, but I want to work this out.

Has anybody an answer to my brain drain?  If i'm just being a total pleb head,
please flame appropriately ;-)

warm regards,

Steve J.



------------------------------------------------------------
This virus has been scanned for virus activity.

NO Virus Found

shmeg.com cannot guarentee that this email and/or any
attachments are not infected, but have scanned with
automatically updated anti virus software.  As such,
shmeg.com cannot be held legally liable for any infection
to any device, due to the opening of this email.

For questions/comments, please contact our mail support
team at postmaster@shmeg.com

The Software and Hardware, Maintenance and Engineering Group
www.shmeg.com
------------------------------------------------------------

Prev by Date: Re: Getting started with MySQL
Next by Date: Re: Antivirus Scanning Gateway
Prev by thread: Re: Getting started with MySQL
Next by thread: Art-catalogue update (0500515608)@-d-v -SCs
Index(es):
- Date
- Thread