Am 24.04.2013 um 04:54 schrieb David Lang <[email protected]>: > On Tue, 23 Apr 2013, Axel Rau wrote: > >>>>> Why do you say this? I've managed hundreds of multi-homed firewalls (some >>>>> with as many as 20 physical interfaces) and have never found that I >>>>> needed to set the source IP. >>>>> Unless you have multiple interfaces to the same network, there is no >>>>> ambiguity, the system will always use the same interface (and will use >>>>> the main IP on that interface for outbound messages when you have >>>>> multiple IPs on one interface) >>>> If you have an IPsec VPN, terminated on an OpenBSD firewall, and want to >>>> log >>>> firewall activity to a log host, reached through the VPN, you will see the >>>> sending socket of your syslogd binding to the interface, pointing at your >>>> default route (which carries the encapsulated VPN traffic). >>> actually, you should not need to do this. >> It seems to be an OpenBSD quirk. >>> Just make sure you start rsyslog after the VPN is up and when it >>> establishes the connection, it will get routed over the VPN and will >>> auto-select the correct source IP. >> Which one? enc0 has no ip, so it selects the parent interface. >>> I suspect that what's happening is that you are starting rsyslog before the >>> VPN, so it's getting the TCP connection established over the Internet >>> before your routing changes. >> I would be happy to agree, but no, it binds to the external interface, even >> if IPSEC tunnel is up. > > what do your routes look like with the tunnel up? OpenBSD IPsec VPN has no routes but flows, maintained by kernel on tunnel up/down. netstat -rnfencap shows the flows like ipsecctl -s all here http://www.kernel-panic.it/openbsd/vpn/vpn3.html > > If you really have to set the source IP manually for rsyslog, then you would > need to do the same thing for your browser, for ssh, and every other program > that you want to have go through the VPN. I just don't see that as a > reasonable requirement to make things work with the VPN We are talking about traffic initiated by the firewall itself, not route-through traffic. From those only 2 applications connect through the vpn tunnel: syslog and the network backup client.
Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
