DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security
Reload this Page Multihome, packets leaving by "wrong" interface
FAQ Today's Posts Search

FreeBSD Security Securing FreeBSD.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 8th July 2013
irukandji irukandji is offline
Port Guard
  
Join Date: Jul 2013
Posts: 16
Default Multihome, packets leaving by "wrong" interface
My setup:

Code:
         +--------+                +--------+
         |internet|                |internet|
         +----|---+                +---|----+
              |                        |
              |                        |
    +---------|---------+     +--------|---------+
    |    adj.router     |     |   93.27.123.23   |
    |   (VPN server)    |     |    lan router    |
    |    10.10.10.1     |     |(nat and port fwd)|
    +---------|---------+     |   192.168.1.1    |
              |               +--------+---------+
              |                        |
              |                        |
    +---------|------------------------|----------+
    |         |                        |          |
    |        tun0                     em0         |
    |     10.10.10.77            192.168.1.200    |
    |   (default route)            |       |      |
    |                              |       |      |
    |  +--------------+       +----|---+---|---+  |
    |  | client tools |       |80:HHTPD|21:SSHD|  |
    |  +--------------+       +--------+-------+  |
    |                                             |
    +---------------------------------------------+
I want to keep my srv daemons beeing accessible by static ip (93.27.123.23) while all other communication going out via tun0.

Lan router is having port forwards to daemons on the host. When the openvpn (as client) is running it sets the route for 0.0.0.0 to its gateway and becoase of this (at least i speculate this is the reason), the SYN comes from the internet to em0 but ACK leaves the server via tun0. I believe the pf reply-to should be able to enforce tcp packets leaving on the same interface where the tcp session was established but except from regularly killing my networking i wasnt able to configure it

Can someone please help me, i cant post rules i have written until now as my network is down again and i am on remote location Once i get to the console, i'll also provide netstat -r
Last edited by irukandji; 8th July 2013 at 08:52 AM.
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to replace "ectags" with "ctags"? fender0107401 OpenBSD Packages and Ports 5 16th April 2013 10:01 AM
Where should I put my config? "rc.conf" or "rc.conf.local"? fender0107401 OpenBSD General 2 2nd April 2012 02:53 AM
OSI "categorically rejects" IIPA's attack on open source J65nko News 0 5th March 2010 06:00 PM
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" jb_daefo Guides 0 5th October 2009 09:31 PM
"Thanks" and "Edit Tags". diw Feedback and Suggestions 2 29th March 2009 12:06 AM


All times are GMT. The time now is 02:16 AM.

DaemonForums.org RSS Feeds - Contact Us - DaemonForums.org - Archive - Privacy Statement - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick