Hi folks.
Hoping you can help me.
I've got a server that's dual homed and is required to make connections
to the Internet to some specific servers out there and also receive
connections from the same servers. So far so good..
However, security policy around the box (multiple firewalls) demand that
I make connections out the back-end of the server but receive
connections via the front-end of the server. As I have to make connections
via the back-end, my default route has to point out the back-end.
So when connections come into the server from the front-end, I need to
route replies to those connections back out the front-end. Currently,
the replies are going out the back-end (following the default route) and
the firewalls can't handle this of course.
I've seen hints on the net that Solaris 10 can now do policy-based
routing at the network level but can't seem to find any documentation
about it.
I've also done this sort of thing before using IPF (and PF) on *BSD
using the "reply-to" keyword in a firewall rule but this does not seem
to be working for me this time.
The rule "pass in on front-end reply-to front-end any any keep state"
should work with IPF and I can load a rule like that without any errors
("ipfstat -i" doesn't show the reply-to keyword though..) but the server
seems to be ignoring it and sending replies out the back-end to bounce
off the firewall.
Anyone got a clue I could borrow? Is there something I've missed?
This message posted from opensolaris.org
_______________________________________________
networking-discuss mailing list
[email protected]
