Re: Transparent bridge rdr SSH traffic
Karsten McMinn skrev: On 9/27/06, Jason Dixon [EMAIL PROTECTED] wrote: Think about it. How would sshd communicate with you without an IP address? Seems to defy the laws of TCP/IP. I'd concede that its more akin to bending than defying laws (RFCs). with enough will and some legwork you might be able to get further with renumbering lo(4) and using rdr. it would be a fun feature to run a ethernet interface in half bridge mode, but in the meantime just get a third interface outside of the bridge group. Half bridge mode sounds cool :). So my only way out is to add a third interface to the OpenBSD server with a public ip address? Right?
Re: Transparent bridge rdr SSH traffic
Johan L wrote: Karsten McMinn skrev: On 9/27/06, Jason Dixon [EMAIL PROTECTED] wrote: Think about it. How would sshd communicate with you without an IP address? Seems to defy the laws of TCP/IP. I'd concede that its more akin to bending than defying laws (RFCs). with enough will and some legwork you might be able to get further with renumbering lo(4) and using rdr. it would be a fun feature to run a ethernet interface in half bridge mode, but in the meantime just get a third interface outside of the bridge group. Half bridge mode sounds cool :). So my only way out is to add a third interface to the OpenBSD server with a public ip address? Right? Wrong! You can give an interface a ip address and use the same interface in your bridge configuration. (I do not say that this is the best configuration) You can do very funny things with bridge configuration and ip configuration. At home I have one interface working as access point. This interface is also member of a bridge, the only member! I only use this bridge to filter mac adresses (ok, please no discussion about faking mac addresses) cheers guido
Re: Transparent bridge rdr SSH traffic
yes i tried, but it doesn't work, you need an ip adress on sis0 Thomas On Wed, 2006-09-27 at 22:23 +0200, Johan wrote: Hi, We are trying to put an OpenBSD server (3.9 with all patches) between an ADSL modem and a commercial firewall. Using transparent bridge and PF, is it possible to redirect all SSH traffic arriving at sis0 to 127.0.0.1 on the OpenBSD server and pass all other traffic the the existing firewall? We still want the existing firewall to get the (only) public ip via dhcp from the ADSL modem. Must the bridge (sis1 or sis0) have a public ip for this to work? We have been trying google/groups and alot of different setups in pf.conf wihtout any luck. Is this setup possible at all? Any help, hints or suggestions would be much appreciated! Regards Johan Linnir DHCP ExtInt | ADSL |- -| Firewall | | | -|---|- |sis0| |sis1|bridge0 -|---|- | | --- | OpenBSD | | sshd | |127.0.0.1| ---
Re: Transparent bridge rdr SSH traffic
On Sep 27, 2006, at 4:23 PM, Johan wrote: Hi, We are trying to put an OpenBSD server (3.9 with all patches) between an ADSL modem and a commercial firewall. Using transparent bridge and PF, is it possible to redirect all SSH traffic arriving at sis0 to 127.0.0.1 on the OpenBSD server and pass all other traffic the the existing firewall? We still want the existing firewall to get the (only) public ip via dhcp from the ADSL modem. Must the bridge (sis1 or sis0) have a public ip for this to work? We have been trying google/groups and alot of different setups in pf.conf wihtout any luck. Is this setup possible at all? Any help, hints or suggestions would be much appreciated! Think about it. How would sshd communicate with you without an IP address? Seems to defy the laws of TCP/IP. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Transparent bridge rdr SSH traffic
How about adding a third nic to both the openbsd and firewall, give them their own private network addresses, then redirect the ssh traffic from firewall to openbsd over this new network forgive my poor attempts at modifying your drawing ;-) -- John Brooks [EMAIL PROTECTED] ... Any help, hints or suggestions would be much appreciated! Regards Johan Linnir DHCP ExtInt | ADSL |-- | Firewall | | | -|---|- | 10.1.1.1 |sis0| |sis1|bridge0| -|---|- | | || --- | | OpenBSD | 10.1.1.2 | | sshd |--- | | fxp0 ---
Re: Transparent bridge rdr SSH traffic
On 9/27/06, Jason Dixon [EMAIL PROTECTED] wrote: Think about it. How would sshd communicate with you without an IP address? Seems to defy the laws of TCP/IP. I'd concede that its more akin to bending than defying laws (RFCs). with enough will and some legwork you might be able to get further with renumbering lo(4) and using rdr. it would be a fun feature to run a ethernet interface in half bridge mode, but in the meantime just get a third interface outside of the bridge group.