On 2/7/2015 5:14 PM, Brad wrote:
On Sat, Feb 07, 2015 at 04:40:36PM -0500, Frank Sweetser wrote:
This is just a rough guess, but did you ever check on the state tables in your openbsd firewall?
I did not check the state tables in the OpenBSD firewall. I figured since it had just been forcefully reboot the state tables were coherent.
It's not just a simple question of the firewall state table being internally consistent, it also has to be consistent with both the NAT gateway and what the clients are expecting. When one of your internal clients makes an outgoing connection, both the firewall and NAT tables have to have entries added to accommodate the return traffic - a translation rule in the NAT table, and an allow rule in the firewall. If either of those aren't correct, the return traffic won't make it back to the client.
In your setup you have state distributed amongst your clients, your firewall, and you NAT gateway, and unless all three are in sync you can easily get the kind of possessed network behavior you describe.
To properly exorcize should i pour holy-water over the routers? I always figured some king of black magic was involved in routing.
Simple routing, not so much - it's just packet go in, packet go out. It's when you throw state tables in that things start to get fragile. When you have strings of disconnected state tables that require consistency like this, it's not uncommon that you end up having to always reboot them together.
Is a bridged-firewall not a good idea in practice because it adds another layer between the internat and the intranet, and could get out of sync?
The bridged portion itself isn't inherently much worse than doing a traditional layer 3 visible firewall, so long as you have your rules set up correctly to account for things like passing ARP traffic. Your typical all-in-one box is a little less likely to display this kind of weirdness only because they're combined on a single box, so a reboot will clear both out simultaneously. I would seriously suggest you check out pfSense. It's a FreeBSD based distribution designed to operate as a SOHO class firewall, with all of the usual NAT, DHCP, and other expected goodies. I think it's a pretty safe bet that it'll be a better router and firewall than OSX... -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken