I have recently encountered a problem that has forced me to switch a
FreeBSD box running IPFilter/IPNat to OpenBSD using PF. I am using the
base install of 3.3 with no patches applied (just a clean install), and
have it all working short of one very small but rather HUGE problem.
So let me give you my test scenario.
I have a OpenBSD 3.3 box running with 2 interfaces. I did a default
install, and than just changed a few minors things. I enabled PF and I
enabled forwarding in /etc/sysctl.conf.
fxp0: is configured with 192.168.247.2/255.255.255.0
fxp1: is configured with 10.10.2.141/255.255.255.0
Default Router is 192.168.247.1
I have the following pf.conf.
-----------------------------------
set timeout { interval 30, frag 10 }
set timeout { tcp.first 30, tcp.opening 30, tcp.established 7200 }
set timeout { tcp.closing 15, tcp.finwait 15, tcp.closed 1 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set limit { states 100000, frags 50000 }
scrub in all
binat on fxp0 from 10.10.2.231 to any -> 1.2.3.231
binat on fxp0 from 10.10.2.232 to any -> 1.2.3.232
-----------------------------------
And I also have the following 2 lines in /etc/rc.local
-------------------------------------------
/usr/sbin/arp -s 1.2.3.231 00:50:08:00:56:4e pub
/usr/sbin/arp -s 1.2.3.232 00:50:08:00:56:4e pub
-------------------------------------------
The box at 192.168.247.1 is configured to route 1.2.3.0/24 to
192.168.247.2. So when testing from the box at 192.168.247.1, I can
reach both 1.2.3.231 and 1.2.3.232 just fine. It all works as expected.
The bug that I have with the OpenBSD PF versus the FreeBSD IPFilter case
is the following.
So if I'm on 1.2.3.231 (it's really 10.10.2.231), and attempt to connect
to 1.2.3.232, it doesn't work. The packets get all the way out to fxp0
on the OpenBSD box but than they don't come back. They just drop on the
floor. I need these to come back. As the live case will be 1 set of
machines behind a load balancer attempting to connect to another set of
machines behind a load balancer, and their all in this binat
configuration. So this needs to work for me to drop this in place.
Is there a way to get this working?
Thanks,
Greg
--
Greg Rumple
[EMAIL PROTECTED]
