Testing new firewall to replace operational firewall
Peter Jeremy
peter at vk2pj.dyndns.org
Tue May 19 09:55:29 UTC 2009
On 2009-May-17 23:20:40 -0700, mehma sarja <mehmasarja at gmail.com> wrote:
>I want to test two pf firewalls in-line - an old openBSD (3.7 #50, i386) is
>on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on the 'inside.' The
>FreeBSD firewall does NOT have altq enabled. Here is the setup:
I can't think of anything specific that would make this break.
>I suspect "modulate state" may be the culprit. Here is what the manual says:
>"modulate state - works only with TCP. PF will generate strong Initial
>Sequence Numbers (ISNs) for packets matching this rule." So we have 2
>machines generating ISNs for the same connection. Could this be the problem?
No. The inner firewall will generate "strong" ISNs and forward the
packets. The outer firewall will then generate its own "strong" ISN
and forward the packet to the internet. Neither firewall cares about
the sequence numbers other than for tracking windows.
>SECOND
>Are the "flags S/SA" altq functions?
No but I presume your testing took into account that inserting/removing
the firewall would kill all existing TCP connections.
My suggestion would be to do some repeat testing (hopefully you have a
maintenance window or low-traffic period where you can afford a
planned outage) with tcpdump running on inner, middle and outer
interfaces and follow the packets through. Looking at how the packets
are transformed will hopefully provide a clue as to what is not
working the way you expect.
--
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090519/50aa4a24/attachment.pgp
More information about the freebsd-pf
mailing list