On 2009-May-17 23:20:40 -0700, mehma sarja <[email protected]> wrote: >I want to test two pf firewalls in-line - an old openBSD (3.7 #50, i386) is >on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on the 'inside.' The >FreeBSD firewall does NOT have altq enabled. Here is the setup:
I can't think of anything specific that would make this break. >I suspect "modulate state" may be the culprit. Here is what the manual says: >"modulate state - works only with TCP. PF will generate strong Initial >Sequence Numbers (ISNs) for packets matching this rule." So we have 2 >machines generating ISNs for the same connection. Could this be the problem? No. The inner firewall will generate "strong" ISNs and forward the packets. The outer firewall will then generate its own "strong" ISN and forward the packet to the internet. Neither firewall cares about the sequence numbers other than for tracking windows. >SECOND >Are the "flags S/SA" altq functions? No but I presume your testing took into account that inserting/removing the firewall would kill all existing TCP connections. My suggestion would be to do some repeat testing (hopefully you have a maintenance window or low-traffic period where you can afford a planned outage) with tcpdump running on inner, middle and outer interfaces and follow the packets through. Looking at how the packets are transformed will hopefully provide a clue as to what is not working the way you expect. -- Peter Jeremy
pgpfNA3XqOqZ9.pgp
Description: PGP signature
