[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    IpSec, NAT & Bridge
From:       Steve <steve () videogroup ! com>
Date:       2004-01-23 20:40:28
Message-ID: 200401231540.28951.steve () videogroup ! com
[Download RAW message or body]

Hi,

I'm trying to verify capabilities and I'm not quite sure if it's doable. 
(Testing is going to get tough so I'm trying to do it right enough the 
first time so that I can make any final changes once installed.)

Background:

The setup is as follows (all firewalls are OpenBSD 3.4):

There's an external network (LAN 2) for which I've just built a firewall for 
in order to vpn into the office network (LAN 1). The office LAN has a PF + 
NAT border F/W with a DMZ and a mail server on it. Inside that I have a PF 
bridge to the internal LAN. 

All that's needed on LAN 2 is access to a server on LAN 1. 

LAN 2 (172.16.2.0)
    |
Firewall
    .
    .
INTERNET
    .
    .
Border F/W 
    |
    -------- Mail server 
    |
Bridge F/W
    |
LAN 1 (10.0.1.0)

Questions:

Can I put a vpn between the Bridge F/W and the LAN 2 F/W, or does bridging 
in PF exclude that capability?

The Bridge F/W does not seem to allow ssh in from the Border, though it does 
allow outbound (with stateful inspection) replies back in just fine, so I'm 
wary as to why. The same rules that let ssh in on the Border does not work 
through the Bridge.

pass  in log on $ExtIF proto tcp from $Steve to $ExtIF port 22 flags S/SA 
keep state

Any pointers would be appreciated as I've run into some mental stop on it.
-- 


____________________________________
Steve Szmidt

[prev in list] [next in list] [prev in thread] [next in thread]