I've read everything I can get my hands on and can't find the answer
to my problem. I'm running OpenBSD 3.4 and have a bridging firewall
which works fine by itself. This bridge/firewall box doesn't break a
sweat handling my T1 and I want to add another external IP interface
to this box and use it as a backup mx mail server. My bridge internal
interface connects to a public address switch, and I want to run a
cable from that switch to the backup mx interface. Question is - Is
this possible and how do I do it? My working pf.conf:
ext_if="sis0" <--external bridge, no IP
int_if="dc0" <--internal bridge, no IP
mgt_if="dc1" <--managment interface, 192.168.0.200
bkmx_if="rl0" <--mx backup interface, public IP
#set tables
table <rfc1918> const {10/8, 172.16/12, 192.168/16, 127/8}
# expire stale connection quickly
set optimization aggressive
# set timeout for keeping tcp connections
set timeout { tcp.established 86400, tcp.closing 6, \
tcp.opening 6,tcp.closed 10 }
#add some sanity, scrub everything coming in
scrub in on $ext_if all
#block all
block all
# pass everything on mgt interface
pass in quick on $mgt_if all
pass out quick on $mgt_if all
# Pass everything on the internal interface - filtering
# will be done on the external interface
pass in quick on $int_if all
pass out quick on $int_if all
# log blocked packets
block in log on $ext_if
pass in on $ext_if proto tcp from any to any port \
{20, 21, 22, 25, 53, 80, 110, 143, 443, 554, 993, 995, 10000} \
flags S/SA keep state
pass in quick on $ext_if proto udp from any to any port \
{53, 123, 554, 7070} keep state
#OUT RULES
pass out on $ext_if proto udp all keep state
pass out on $ext_if proto tcp all modulate state
Any direction or help greatly appreciated!
