I'm facing a challenge with my PF firewall on an OpenBSD machine.
From a client (A) I'm connecting to a server (B) using a target ip (SRV-IP-1). The server is replying to my request, but sourcing the reply from a different IP (SRV-IP-2).
The firewall is dropping the reply, since it's unable to understand that the reply is part of a conversation originated from the inside network (it thinks that the reply is a connection started from outside).
Is there a way to instruct the firewall to consider a reply valid if coming from, say, a "pool" of addresses instead of the address used as the conversation target (SRV-IP-1)? For example, it would be nice to map a specified address with other addresses, to "chain" the state.
Thank you.
There are many ways of allowing traffic from a pool of addresses.
You can use CIDR subnets:
You can use a macro:
Another way would be to use anchors
That would allow you to "nest" rules inside another rule...kind of...
OpenBSD's documentation on PF if very helpful as is Calomel's web site
The firewall doesn't know that server B has two IP addresses -- It treats each IP address as a different source/object. The diagram below shows what your firewall is seeing.
To get the firewall to pass traffic from this "other" computer you need to add explicit rules to allow the green traffic (from the second IP to arbitrary hosts out on the internet) - you can do this with individual rules or with an address table (see the pf documentation for more info on tables).
A better solution is probably to determine why you are sending replies from a different address than where you're receiving the requests -- If you can make all the traffic take place to/from one address you will be able to take advantage of pf's automatic state tracking, and have a much simpler environment to manage.