I'm trying to set up spamd on my firewall system.
The configuration is tricky because my upstream provider
(Verizon) only gives me 5 IPs, all on the same subnet.
The firewall system is acting as a bridge and as a router.
Two interfaces (sk0 and vr0) are in a bridge:
bridge0: flags=3041<UP,RUNNING,LINK0,LINK1>
priority 32768 hellotime 2 fwddelay
15 maxage 20 holdcnt 6 proto rstp
sk0 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
port 1 ifpriority 0 ifcost 0
vr0 flags=3<LEARNING,DISCOVER>
port 3 ifpriority 0 ifcost 0
Addresses (max cache: 100, timeout: 240):
00:1b:2f:b9:6c:c5 vr0 0 flags=0<>
00:90:1a:a2:0a:ba sk0 1 flags=0<>
6c:f0:49:0c:07:79 vr0 0 flags=0<>
00:30:18:a8:10:76 vr0 1 flags=0<>
00:24:1d:19:01:0d vr0 1 flags=0<>
sk0 connects to my fiber connection - it is in group wan
vr0 connects to a switch - my local hub - it is in group lan
they are not assigned any addresses
re0 is the interface for this host's traffic
It is connected to the local hub and has multiple addresses
in order to act as a router.
It is in group int.
The system is configured this way in order to have
separate sets of filter & nat rules on the bridge and
the local interface, as well as letting the lan hosts
with routable addresses talk directly to the upstream link.
I know that the documentation recommends assigning
an address to one interface on the bridge.
I tried to assign the routable address of the firewall machine
to an interface on the bridge and the pf rules became
a nightmare of complexity and never worked right.
There is no way I can get an additional IP from the provider
to talk to the upstream link (without paying many $$$).
The system is sometimes multi-homed, talks via tunnels
to other networks, supports routing to test networks,
etc., etc., so keeping the rule sets simple and
without unexpected interactions is essential.
Table locals contains my assigned subnet and 192.168.0.0/16
Table mail_servers contains my mail servers' external addresses
If I put a nat rule into pf:
rdr pass in on wan proto tcp from !<locals> to <mail_servers> \
port smtp -> 127.0.0.1 port spamd
and a filter rule
pass quick in on wan from any to any port smtp flags any
Then packets pass through the bridge to the switch with
1) the mail server link level address
2) IP 127.0.0.1
This doesn't work, of course, because the switch delivers
the packet to the original destination.
I haven't found any way to alter the link level address
or force pf to put the packets on either lo0 or re0's
input queue.
I've tried "fastroute" in the filter rule.
I've tried a "route-to" and "reply-to" pair.
I've tried "divert-to".
In all cases the packets disappear - they aren't seen
by tcpdump on any interface.
Is there anything I haven't tried?
I've searched for any examples of something like
this.
I am thinking of creating a virtual interface "virt"
which is the lo code modified:
delete the call to enqueue output packets on the
input queue
add an Ethernet header with a fabricated Ethernet
address
and confguring an instance of this to the bridge.
I -think- that would do what I want. Maybe.
The bridge might still force the packets out the
lan branch because of the ethernet address on the packet.
Any suggestions? I'd be willing to rearrange the
bridge code to respect routing by pf, if there is no
other way to make this work.
thanks
Geoff Steckel
