what exactly are you trying to achieve, or: why not use azure firewall?
On 26.04.20 17:27, 4642 wrote: > Hi, I have created a OpenBSD 6.6 VM in the Azures cloud that I plan to use as > a Firewall, I had planned on using carp but I can't get it working in Azure > so I think I can use an Internal load balancer to achieve my aim of having > two redundany OBSD Firewalls in Azure. The problem I have is that the Azure > Internal Load Balancer requires a health probe to work. So I create a load > balancer health probe and set it to the SSH service on my FW Host and set it > to every 5 seconds. I can see the traffic on my FW but the health probe > doesn't work and I think it's because the traffic from the Azure discover ip > "168.63.129.16" that is doing the probe is coming from within the azure > nextwork, hitting my internal nic and then onto the ssh service ? and then > finally leaving but on the external interface. > > tcpdump -n -e -ttt -i pflog0 -v > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > Apr 26 15:59:30.082436 rule 1/(match) [uid 0, pid 44293] block out on hvn0: > [orig src 10.x.x.36:22, dst 168.63.129.16:54762] 10.x.x.4.65324 > > 168.63.129.16.54762: S [bad tcp cksum 9d0b! -> 9e14] 252441079:252441079(0) > ack 3958895254 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6> (DF) (ttl 64, > id 2960, len 52, bad ip cksum 0! -> 52f0) > > Rule 1 = block log all > 168.63.129.16 = Azure Discovery Address > 10.x.x.4 = My External IP on hvn0 > 10.x.x.36 = My Internal IP on hvn1 > > I tried changing the state rules to allow the traffic out on the external > interface and I thought I had it working earlier today by changing > state-policy from if-bound to floating but I can't reproduce that again for > some reason... anyway it didn't seem to work. > I think I really just need to force the traffic back out the Internal > interface but I just don't know how to do that ? > > If anyone could help me it would be really appreciated. > Thanks > > Keith
