[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipnat routing problem

I have a two nic card firewall set up using OpenBSD 2.9. The firewall has been set up to allow internal machines access anything and allow SSH to access certain internal machines. The xl0 is the internal card and xl1 is the external card.

Here is the ipnat.rules:

bimap xl1 -> x.y.z.a/32
map xl1 -> x.y.z.b/32 portmap tcp/udp 10000:60000
map xl1 -> x.y.z.b/32

(where x.y.z.a (which is an alias on xl1) and x.y.z.b (is the master ip address on xl1) are proper internet addresses)

The ipf.rules are

pass out quick on lo0
pass in quick on lo0

block in log on xl1 from any to any

pass in quick on xl1 proto tcp from any to port = 22
pass out quick on xl1 proto tcp/udp from any to any keep state
pass out quick on xl1 proto icmp from any to any

As far as I can tell everything has been working great. However one day we tried to SSH from an internal machine (, to the external address x.y.z.a. We were connected to the SSH server that was running on the OpenBSD firewall. We checked out all the router tables and everything was fine. We tried it from other internal machines same behavior. I tried to SSH from the firewall the external address and it did the same thing. I have an OpenBSD 2.7 firewall in front of a completely different segment and have the same problem. There are no routers on either side of the firewall just hubs.

The behavior seems to be this. All internal machines can access anything out on the internet except for addresses that are controlled by the OpenBSD firewall (x.y.z.a) that protects them. All internet machines can access SSH through the firewall using x.y.z.a.

My questions are:

1) Has anybody else seen this problem ( I checked the archives the best I could and didn't see anything)?
2) Should I see this problem?

Thank you for any help. I tried to keep this as short as possible, if more information is needed please let me know.

Visit your host, monkey.org