DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 25th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,799
Default

Routing and routes can be confusing. Please excuse the routing explanation below, but I am hoping it will provide some clarity. PF block rules can behave like routing errors between networks, so this explanation does not include any discussion of PF.
Code:
[System A] - network 1 - [Router B] - network 2 - [Router D] - {the internet} - [System E]
                                           |
                                     [System C]
System A on network 1 only has one route to other networks, through Router B. To communicate with other systems on other networks, it only needs a default, gateway route. In OpenBSD route(8) terms, this would be # route add default <address of Router B on network 1> where the keyword "default" is equivalent to 0.0.0.0/0. Any IP packet destined for an address not on network 1 will be sent to Router B for routing to all other networks, such as System C on network 2, or to System E somewhere on the internet.

On OpenBSD, the default route is assigned statically with a mygate(5) file, or dynamically via a DHCP server.

Router B is aware of two networks: network 1 and network 2, because it has NICs provisioned on both networks. But it needs a default route: through Router D. In route(8) terms, this would be # route add default <address of Router D on network 2>. With this knowledge, any traffic it receives to be forwarded to System A on network 1 will be sent directly to it through its NIC on network 1. Likewise, any traffic it receives to be forwarded to System C on network 2 would be sent directly to it through its NIC on network 2. But any traffic it receives for networks other than 1 or 2 would be forwarded to Router D for further distribution.

System C on network 2 has direct access to the two routers B and D. It will need a default route through Router D. If System C needs to communicate with System A on network 1, it will need a route to network 1 added. In route(8) terms, that additional route would be # route add <network 1> <address of Router B on network 2>. This additional route can be added via a DHCP server, or can be added statically. If System C is an OpenBSD system, a !route command is added to a hostname.if(5) file to add a static route.

Router D is aware of network 2 and its internet connection. Its default route will be through the ISP, either dynamically with DHCP or statically. But it has no knowledge of network 1 unless a route to it is provisioned. In route(8) terms, this would be # route add <network 1> <address of Router B on network 2>.

Last edited by jggimi; 25th July 2019 at 07:25 PM. Reason: clarity for the ASCII "picture", and typos. And another typo. Thanks IdOp!!!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Alix3d2 + Mikrotik R52nM Wifi Access point network performance jkusniar OpenBSD General 3 13th January 2015 07:59 AM
AuthPF Configuration EverydayDiesel OpenBSD Security 30 16th July 2014 03:37 PM
authpf setup dbach OpenBSD General 14 19th January 2013 04:25 AM
authpf, authpf.rules unable to modify filters kbeaucha OpenBSD Security 16 10th May 2012 09:46 PM
PF cannot access Internet from internal network gpatrick OpenBSD Security 3 29th August 2010 10:59 PM


All times are GMT. The time now is 07:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick