On Fri, 26 Apr 2013, Axel Rau wrote:
Am 24.04.2013 um 04:54 schrieb David Lang <[email protected]>:
On Tue, 23 Apr 2013, Axel Rau wrote:
Why do you say this? I've managed hundreds of multi-homed firewalls (some with
as many as 20 physical interfaces) and have never found that I needed to set
the source IP.
Unless you have multiple interfaces to the same network, there is no ambiguity,
the system will always use the same interface (and will use the main IP on that
interface for outbound messages when you have multiple IPs on one interface)
If you have an IPsec VPN, terminated on an OpenBSD firewall, and want to log
firewall activity to a log host, reached through the VPN, you will see the
sending socket of your syslogd binding to the interface, pointing at your
default route (which carries the encapsulated VPN traffic).
actually, you should not need to do this.
It seems to be an OpenBSD quirk.
Just make sure you start rsyslog after the VPN is up and when it establishes
the connection, it will get routed over the VPN and will auto-select the
correct source IP.
Which one? enc0 has no ip, so it selects the parent interface.
I suspect that what's happening is that you are starting rsyslog before the
VPN, so it's getting the TCP connection established over the Internet before
your routing changes.
I would be happy to agree, but no, it binds to the external interface, even if
IPSEC tunnel is up.
what do your routes look like with the tunnel up?
OpenBSD IPsec VPN has no routes but flows, maintained by kernel on tunnel up/down.
netstat -rnfencap shows the flows like ipsecctl -s all here
http://www.kernel-panic.it/openbsd/vpn/vpn3.html
If you really have to set the source IP manually for rsyslog, then you would
need to do the same thing for your browser, for ssh, and every other program
that you want to have go through the VPN. I just don't see that as a reasonable
requirement to make things work with the VPN
We are talking about traffic initiated by the firewall itself, not
route-through traffic.
From those only 2 applications connect through the vpn tunnel: syslog and the
network backup client.
So you are saying that if you start a VPN, you then cannot ssh to something
through the VPN without explicitly configuring SSH to use a specific source
IP?
this doesn't sound like a sane VPN configuration to me. If you have to modify
every app that will talk through the VPN, and expicitly configure the app to use
the VPN, that VPN is pretty worthless.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
