[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenBSD Bridge firewall



My self and another admin here are working on a transparent bridging
firewall using openBSD. So far everything is great. However we have a
problem that we have not yet been able to solve and I was hoping for a
little input from the experts.
Here's what we have: 
2 T1 providers (t1-1, t1-2) coming into two external nics (t1-1 --> fpx0,
t1-2 -->fpx1) going to two internal nics (fpx0 --> fpx2, fpx1 --> fpx3)
which then comes into our network. This is Not a problem. The problem is
that since none of the nics have IP addresses assigned to them we can not
find a way to make sure that the packets coming in on t1-1 only go out on
t1-1.
here's what we tried
t1-1 = "{123.123.123.123/26}"
t1-2 = "{234.234.234.234/26}"
pass in log on fpx0 route-to fpx2 from any to $t1-1 keep state
pass in log on fpx1 route-to fpx3 from any to $t1-2 keep state
pass out log on fpx2 reply-to fpx0 from $t1-1 to any
pass out log on fpx3 reply-to fpx1 from $t1-2 to any
However this does not work. What we want to make sure of is that the t1-1
network does not talk to the t1-2 network until after there passed the
firewall. Once they are inside we want to make sure they Pass out on the
same t1 network that they came in on. 
Currently our web, dns, mail servers have IP's for both networks in which
lies the problem. (see Diagram below)
DIAGRAM
			  --------
			  |      |			  |      |			  | Fire |			-----
T1-1  -------> FPX0 | WALL | FPX2 ----->  |   | -----> DNS Server
		 	  |      |			|HUB| -----> Web
Server
T1-2  -------> FPX1 |      | FPX3 ----->  |   | -----> Mail Server
			  |      |			-----
			  |      |			  --------
Thanks Eric