Re: pf vs. bridge vs. spamd
On Wed, Mar 24, 2010 at 09:08:48PM -0400, Geoff wrote: I'm trying to set up spamd on my firewall system. The configuration is tricky because my upstream provider (Verizon) only gives me 5 IPs, all on the same subnet. The firewall system is acting as a bridge and as a router. SNEEP I think you're taking the wrong approach here by including a bridge. Configure the interface with the default route to have all 5 IP addresses. Configure the hosts to be protected by the firewall, but reachable by the public internet to be on one or more subnets within the RFC 1918 space. Use rdr rules (or the newer equivalent) for the SPECIFIC access required by from the public internet. Use nat rules for the specific access they need to the public internet. *IF* you do that you can use relayd or some of the fancier rdr rules to load balance across multiple backend hosts. You can also use one IP address to service multiple services that are actually provided by multiple backend boxes if the load demands such separation. -- Chris Dukes
Re: pf vs. bridge vs. spamd
From owner-m...@openbsd.org Received: from shear.ucar.edu (lists.openbsd.org [192.43.244.163]) by lib.oat.com (8.14.3/8.14.3) with ESMTP id o2PHfPNN023169 for g...@oat.com; Thu, 25 Mar 2010 13:41:28 -0400 (EDT) Received: from openbsd.org (localhost.ucar.edu [127.0.0.1]) by shear.ucar.edu (8.14.3/8.14.3) with ESMTP id o2PHdSXJ009239; Thu, 25 Mar 2010 11:39:28 -0600 (MDT) Received: from pr.neotoma.org (raleigh.neotoma.org [24.106.182.151]) by shear.ucar.edu (8.14.3/8.14.3) with ESMTP id o2PHarnF026642 for misc@openbsd.org; Thu, 25 Mar 2010 11:36:54 -0600 (MDT) Received: by pr.neotoma.org (Postfix, from userid 1002) id 66CF52EC3B; Thu, 25 Mar 2010 13:36:53 -0400 (EDT) Date: Thu, 25 Mar 2010 13:36:53 -0400 To: Geoff g...@oat.com Cc: misc@openbsd.org Subject: Re: pf vs. bridge vs. spamd On Wed, Mar 24, 2010 at 09:08:48PM -0400, Geoff wrote: I'm trying to set up spamd on my firewall system. The configuration is tricky because my upstream provider (Verizon) only gives me 5 IPs, all on the same subnet. The firewall system is acting as a bridge and as a router. SNEEP On Thu Mar 25 at 13:41:29 2010, Chris Dukes wrote: I think you're taking the wrong approach here by including a bridge. Configure the interface with the default route to have all 5 IP addresses. Configure the hosts to be protected by the firewall, but reachable by the public internet to be on one or more subnets within the RFC 1918 space. Use rdr rules (or the newer equivalent) for the SPECIFIC access required by from the public internet. Use nat rules for the specific access they need to the public internet. *IF* you do that you can use relayd or some of the fancier rdr rules to load balance across multiple backend hosts. You can also use one IP address to service multiple services that are actually provided by multiple backend boxes if the load demands such separation. Your solution is quite nice, except for one problem: The hosts inside the firewall need to know their external addresses. That can't change. PF is an IP facility. Unfortunately, in order for it to work correctly when applied to a bridge, once a packet has been redirected it needs to get a correct link-level address. Right now, packets are assigned routes (implying link level addresses) at ingress. Routes need to be reassigned if packet destinations change during bridging. That's the core problem. I've had a lot of problems with IPSEC, etc, due to the ad-hoc interactions of IP level functions with link-level functions. I've thought of a scheme to fix this but obviously I don't want to go through development if there's a solution already. Geoff
Re: pf vs. bridge vs. spamd
On Wed, Mar 24, 2010 at 09:08:48PM -0400, Geoff wrote: I'm trying to set up spamd on my firewall system. The configuration is tricky because my upstream provider (Verizon) only gives me 5 IPs, all on the same subnet. The firewall system is acting as a bridge and as a router. I've been looking through pf.c, if_bridge.c in -current The changes seem to answer some of my complaints. I'm going to have to update run some tests... I hope all of the team's effort has made this much, much better. There's one set of tests at lines 5770-5773 of net/pf.c: kif-pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; kif-pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; if (action == PF_PASS || r-action == PF_DROP) { Where I wonder if the tests for PF_PASS should also include PF_DIVERT? It looks like PF_DIVERT packets would be incorrectly accounted for in the two single lines and completely missed in the large block. thanks geoff
pf vs. bridge vs. spamd
I'm trying to set up spamd on my firewall system. The configuration is tricky because my upstream provider (Verizon) only gives me 5 IPs, all on the same subnet. The firewall system is acting as a bridge and as a router. Two interfaces (sk0 and vr0) are in a bridge: bridge0: flags=3041UP,RUNNING,LINK0,LINK1 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sk0 flags=7LEARNING,DISCOVER,BLOCKNONIP port 1 ifpriority 0 ifcost 0 vr0 flags=3LEARNING,DISCOVER port 3 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:1b:2f:b9:6c:c5 vr0 0 flags=0 00:90:1a:a2:0a:ba sk0 1 flags=0 6c:f0:49:0c:07:79 vr0 0 flags=0 00:30:18:a8:10:76 vr0 1 flags=0 00:24:1d:19:01:0d vr0 1 flags=0 sk0 connects to my fiber connection - it is in group wan vr0 connects to a switch - my local hub - it is in group lan they are not assigned any addresses re0 is the interface for this host's traffic It is connected to the local hub and has multiple addresses in order to act as a router. It is in group int. The system is configured this way in order to have separate sets of filter nat rules on the bridge and the local interface, as well as letting the lan hosts with routable addresses talk directly to the upstream link. I know that the documentation recommends assigning an address to one interface on the bridge. I tried to assign the routable address of the firewall machine to an interface on the bridge and the pf rules became a nightmare of complexity and never worked right. There is no way I can get an additional IP from the provider to talk to the upstream link (without paying many $$$). The system is sometimes multi-homed, talks via tunnels to other networks, supports routing to test networks, etc., etc., so keeping the rule sets simple and without unexpected interactions is essential. Table locals contains my assigned subnet and 192.168.0.0/16 Table mail_servers contains my mail servers' external addresses If I put a nat rule into pf: rdr pass in on wan proto tcp from !locals to mail_servers \ port smtp - 127.0.0.1 port spamd and a filter rule pass quick in on wan from any to any port smtp flags any Then packets pass through the bridge to the switch with 1) the mail server link level address 2) IP 127.0.0.1 This doesn't work, of course, because the switch delivers the packet to the original destination. I haven't found any way to alter the link level address or force pf to put the packets on either lo0 or re0's input queue. I've tried fastroute in the filter rule. I've tried a route-to and reply-to pair. I've tried divert-to. In all cases the packets disappear - they aren't seen by tcpdump on any interface. Is there anything I haven't tried? I've searched for any examples of something like this. I am thinking of creating a virtual interface virt which is the lo code modified: delete the call to enqueue output packets on the input queue add an Ethernet header with a fabricated Ethernet address and confguring an instance of this to the bridge. I -think- that would do what I want. Maybe. The bridge might still force the packets out the lan branch because of the ethernet address on the packet. Any suggestions? I'd be willing to rearrange the bridge code to respect routing by pf, if there is no other way to make this work. thanks Geoff Steckel