From owner-freebsd-pf@freebsd.org Sun Oct 23 21:01:00 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BD20C1E745 for ; Sun, 23 Oct 2016 21:01:00 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4A866CCE for ; Sun, 23 Oct 2016 21:01:00 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u9NL01I0036946 for ; Sun, 23 Oct 2016 21:01:00 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201610232101.u9NL01I0036946@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 23 Oct 2016 21:01:00 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2016 21:01:00 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Mon Oct 24 12:59:35 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77AB4C1EAE7 for ; Mon, 24 Oct 2016 12:59:35 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from sender163-mail.zoho.com (sender163-mail.zoho.com [74.201.84.163]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6C600854 for ; Mon, 24 Oct 2016 12:59:35 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from mr185083 (mr185083.univ-rennes1.fr [129.20.185.83]) by mx.zohomail.com with SMTPS id 1477313970545863.1079980446453; Mon, 24 Oct 2016 05:59:30 -0700 (PDT) Date: Mon, 24 Oct 2016 14:59:26 +0200 From: Patrick Lamaiziere To: freebsd-pf@freebsd.org Subject: 10.3 pfsync large difference between number of states on two firewalls Message-ID: <20161024145926.4770faf5@mr185083> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.3) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2016 12:59:35 -0000 (trying freebsd-pf) Hello, I have a pair of firewalls with carp, pf and pfsync and I see a large difference between the number of states (pfctl -si, current entries) on the firewalls. The pfsync link is a 10 GB link witht around 20 Kpps on load (don't think it's the issue). pf1 is the master with 807598 states, pf2 is the backup with 1696258 states There is only small traffic from / to the firewalls that can explain this difference. I'm looking on the states (but it's not easy on real traffic) and I've found some states not present in pf1, but still present in pf2. One states was in state tcp ESTABLISHED:ESTABLISHED with a expire age around 23:55:00 (the default of a tcp timeout) and I can confirm that the tcp session was ended (with netflow traces) and started 5 minutes ago. So it looks like sometimes pf2 misses (or pf1 does not send) some state updates. I say "sometimes" because with the rates of states inserts here, I think that if this is always the case, the states table on pf2 would have already exploded. I would like to know if someone is seeing this kind of difference. Even an "it works for me" will be helpful. Thanks, regards. From owner-freebsd-pf@freebsd.org Mon Oct 24 20:38:43 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5FD72C1F382 for ; Mon, 24 Oct 2016 20:38:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F884FD9 for ; Mon, 24 Oct 2016 20:38:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u9OKchfe069392 for ; Mon, 24 Oct 2016 20:38:43 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 213736] pf: hardcoded if_output skips ip[6]_output and pfil order Date: Mon, 24 Oct 2016 20:38:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2016 20:38:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213736 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Oct 27 13:14:03 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 246FBC22F44 for ; Thu, 27 Oct 2016 13:14:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0B84B7FE for ; Thu, 27 Oct 2016 13:14:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u9RDE2kf034136 for ; Thu, 27 Oct 2016 13:14:02 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 212384] pfsync(4) bulk update fail Date: Thu, 27 Oct 2016 13:14:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: patfbsd@davenulle.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 13:14:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212384 --- Comment #1 from patfbsd@davenulle.org --- Hello, My firewalls are now in production and it appears that with a lot of states (~600 000 here). The pfsync bulk works fine just using /etc/rc.d/pfsync. So there is something wrong when the number of states is low or very low. Regards, --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Oct 27 13:51:26 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 01AC1C15A19 for ; Thu, 27 Oct 2016 13:51:25 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from COL004-OMC4S1.hotmail.com (col004-omc4s1.hotmail.com [65.55.34.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A6CB1924 for ; Thu, 27 Oct 2016 13:51:25 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from IND01-MA1-obe.outbound.protection.outlook.com ([65.55.34.199]) by COL004-OMC4S1.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 27 Oct 2016 06:51:19 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ayFOKopQCZmGwCml+ciVnojYPKnUSmqV+V0k/wsD7vM=; b=PDpnuO5zl412qfL3lahUAnF/8nZEDsj6ZwJUyT1f0eob/Z1vGghQlXhuXCaRWck0HaJQc9kBT6CVMGYbWdbNMonXkUIv0AzAAj4qTtewFWp8M7bGxfe3YS30L5GUy/tjpXpEzNcKyxSzBCwxsnP9IzZvPFMWb940Ar/w5lxhNCrbIawOKV/SBk/m6YqG+cGmLUfrq8qXsB+hsEfoHdtin4evFYqUmF9Jpu2NYiXNgeuF+wg3A0GPLQPYho0oqnBu2UqOMalo/CLwH7Fp4tq5xLymuXCJYklwkMIbBpL5ChVlo0DzsQdYV/PNIEvlCqAH+gxj+a9YwRNLOIwcfqJGQg== Received: from MA1IND01FT005.eop-IND01.prod.protection.outlook.com (10.152.200.54) by MA1IND01HT006.eop-IND01.prod.protection.outlook.com (10.152.200.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5; Thu, 27 Oct 2016 13:51:10 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM (10.152.200.51) by MA1IND01FT005.mail.protection.outlook.com (10.152.200.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5 via Frontend Transport; Thu, 27 Oct 2016 13:51:10 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) by BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) with mapi id 15.01.0679.015; Thu, 27 Oct 2016 13:51:10 +0000 From: James Morris To: "freebsd-pf@freebsd.org" Subject: Thread-Index: AQHSME3ZJTTrwucqKU2FFJYzT/m7oA== Date: Thu, 27 Oct 2016 13:51:10 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=none action=none header.from=outlook.com; x-tmn: [ttl3m8bPEUkQGmiXITePBvDNEsYakySbo4NwFr76nKY=] x-eopattributedmessage: 0 x-microsoft-exchange-diagnostics: 1; MA1IND01HT006; 6:3rU96dY5SHjL2Py7hqocyWRNLK9PKeEwJy1HkjJCA/lVypK9EdHZWocTqpJFmg0P4wpIwwi8mCJ3if42966F248dk2nFF8UV9DZp49bqg+dyPoHjbtsU3nHoEUl3rP3pN7RxenzKsH/DpTGG5G3nF2hDfs2qMBke/bQqahCAFQ9i9tF7djrohu/ZxK9ja1/pwW8aV1bT7tP9gZalmW1bd6zJdWmGboj5Pvbxc3z/GkRwjXu5OAnNN1nX5jri+Hl2n1cp09eSMU5sw7mfdvLOZgO2yUQMcJzGUOSTIzeS4LqmIauVO17zP/icTTXDscmb; 5:10YzssIlquLEwNLD63gng8AcqAwFKcp26/WdSp6d923X2Unkie6GT1mZZNrJC5nI0J/xoLNjQKykQ+J76D8mvLVr16FZmySFRPW1SeMGRb9EaYciNeCkoqDhypZ99nvCGoTBidSxi3GEDC1ZQWIVKg==; 24:oo2/bZdbwRsCFrXA56QZNR0gppY9F8umlqeTP6iCfhc8FOvOUmUAUFGSIe81z4tu83pUtZmAPKQf3CQxWw6mXSR2H5/qdexIc26WqywYz70=; 7:yGNkIl+hvTBIYIqAvyxfOedCLLrnW2JbK/eKhcKCfUzbXtM7DwnqR1n2inbuQ9UnOKa8qubVxEa5KGRe0gw6Uz8VJOqEzJMzO7zGD3hOTOlkHoJjnbMg18LHNbcfvrtlQHW3hdSZezSTcdJENFKQbjQKVAQtAYit9zJcLnOtQ8z4BHc8MLfY6mF6cVvVTYAOsyI28s+mHNjzeH4/gSOq09awz02sB8KeooycRoho1pgaCuI3l7a77gGlr/hT0NRpUEqtiuh+NJZLllZbR2yv1AOG0LPFIQqQK+JbDbxuYFPqvbOO6ngAHU+SwZWw1u3kozG53MY/OG/ZbfacKqduD78n1m2U2Ypo5PLk34mOAQY= x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:MA1IND01HT006; H:BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; x-ms-office365-filtering-correlation-id: c2d102b4-4c9e-4964-1d1b-08d3fe704eec x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601124038)(1603103081)(1601125047)(1603101340); SRVR:MA1IND01HT006; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(102415321)(82015046); SRVR:MA1IND01HT006; BCL:0; PCL:0; RULEID:; SRVR:MA1IND01HT006; x-forefront-prvs: 0108A997B2 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2016 13:51:10.1509 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: MA1IND01HT006 X-OriginalArrivalTime: 27 Oct 2016 13:51:19.0969 (UTC) FILETIME=[32348110:01D23059] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 13:51:26 -0000 Hi, I have a FreeBSD server (A) with 2 NICs Each NIC is connected to a different network: igb0: 10.0.0.10/24 igb1: 10.10.10.10/24 The default gateway on the server is 10.0.0.1 The two networks can communicate using a router (10.0.0.1). I have a server (B) running on 10.10.10.100 which only allows incoming conn= ections from 10.0.0.0/24 (not 10.10.10.0/24). When my FreeBSD server A attempts to connect to server B it uses the closes= t IP and goes through igb1 which is dropped by B. Is there a way to force all (or some) outbound traffic to use igb0? I have attached a small network diagram to illustrate my setup. Thanks, James From owner-freebsd-pf@freebsd.org Thu Oct 27 14:02:13 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD847C15E5F for ; Thu, 27 Oct 2016 14:02:13 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from COL004-OMC4S12.hotmail.com (col004-omc4s12.hotmail.com [65.55.34.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 70FCFED6 for ; Thu, 27 Oct 2016 14:02:13 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from IND01-MA1-obe.outbound.protection.outlook.com ([65.55.34.201]) by COL004-OMC4S12.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 27 Oct 2016 07:01:03 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=7QKBl3MdlLXHb+LjBbTpdeXp8j9mNIinkkMsnHlX3VI=; b=UydrWJrS3MkpBaPWlwV4ijGhsM+6h1RvE87bDtQUogS3Jqsm7EgeHU0wZW0PygRaX/jJfkoZhoFz0VQuLkypEbXEg/Z5HJJYqd8oKBeJFNwHol3x73LM2k6n3FqBk6J6kjTOn8lYFQdFKnWxaqkI/15HizyG9ytUM0euu0SVLtnVfFzk43+aiPZNvyBXKp2xBmgzy3JLETSXb/08Mtnyf+wcCpeunbeey3FEPviLj326V9MSLmkkv1RBqt9HV5+AorCbRlDWxDpX3wP6P1DR1YGwEwfeLXfzEBly9crqEQnbV3f3jS0hIqYU6aTaCY8oZHE4ga24o+ly20x3LGzm6A== Received: from MA1IND01FT007.eop-IND01.prod.protection.outlook.com (10.152.200.55) by MA1IND01HT011.eop-IND01.prod.protection.outlook.com (10.152.200.104) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5; Thu, 27 Oct 2016 14:00:58 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM (10.152.200.53) by MA1IND01FT007.mail.protection.outlook.com (10.152.200.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5 via Frontend Transport; Thu, 27 Oct 2016 14:00:58 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) by BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) with mapi id 15.01.0679.015; Thu, 27 Oct 2016 14:00:58 +0000 From: James Morris To: "freebsd-pf@freebsd.org" Subject: Forcing a route using pf Thread-Topic: Forcing a route using pf Thread-Index: AQHSMFptebiwBmt7E0CVr/XEeKg/dw== Date: Thu, 27 Oct 2016 14:00:58 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=none action=none header.from=outlook.com; x-tmn: [DXHhsDktvvMy0ULFY04FVxU5gV4tq7gkV5rJSXqQmDE=] x-eopattributedmessage: 0 x-microsoft-exchange-diagnostics: 1; MA1IND01HT011; 6:edFVY4KU3/hXL07DSPPOfPpsHeagdnT2uLxx0FtQd22OolFe0nxxMpF06NQoFhCJyaOIYzJE8NSNBX3DXINIa786vKl+1T5WDABes+M3OXae+2HIbstgY0TIt/mfuj9VYxRlujiu+CrMGG26dCOilM9QXv2gOf2YyfvFigPfgiKWqcMSbMWJ6c1fCG4eEoeQaQMNt+HObmgLqZlRohUnG0CthR7UoLsBpMBzaOjVjgZmvqrzGBjCq/atccEWNYU3iqyqYoq6bPXL7N7BoMXjUCFXLrN9koJFGGSJ1sjsW8PieeJ4C/RqOdKwZwh0Kdc5; 5:w/kwR1BmA1G45lNjr1dtRXoVI/8aQo2QkiWsuykaMoYuDnTe+sqO4OQ6Z2wl/pc0SXbXfWTAwRnCZRunNHRhT+vgrNnznc1QG0zSmEH87u2IP1V5OX4b+d35y+rtal0xX8lqIxJnuaHSexVVncnIAA==; 24:CZWpsC2SQfPRNHGHKbft7GZSyuyLVfDk9VTw/gqZXcSdee8TxJ38+eEfmGgthukc3t/4irmfn0ps6++hCVKGE0W+QnY9U0W/Y/2vXZ86ybI=; 7:Gzy1D3VRpyScEx0l0HaxnmANVnrwpB3xDrTNBmt4ivwjHgW/8TzQp1Q5qfbHL1DLh6aKACWAaTr+qDeUIY7UDgcIkXIz213gcqtyjEdDZzVR/tX+3X/0M4IEfY4sbY2XfFBulwXlJIEJuHQuJL4aobpQ/qZms3aSwmDm9jIj6WBDzj18sI7+OWEQUq38Df5S3rd8YVxntqBJyMCEX7XxuzIB3EKWkTmLjidVxNzsjMkQ4N6uDGTWUb9/02V1pDHEucyG3XKauRqu3KXMUF38xWUoXnOruPbtYQDZd5AukzJ8q2euynNO+OuxULDqw1ywKfSx/CfIbZq2vu+7VtiNKbVoJx296mvUhb9rqZy2m6Q= x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:MA1IND01HT011; H:BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; x-ms-office365-filtering-correlation-id: 8f5ce50d-dd19-4609-ec03-08d3fe71ad5b x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601124038)(1603103081)(1603101340)(1601125047); SRVR:MA1IND01HT011; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(102415321)(82015046); SRVR:MA1IND01HT011; BCL:0; PCL:0; RULEID:; SRVR:MA1IND01HT011; x-forefront-prvs: 0108A997B2 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2016 14:00:58.1793 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: MA1IND01HT011 X-OriginalArrivalTime: 27 Oct 2016 14:01:03.0474 (UTC) FILETIME=[8E004D20:01D2305A] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 14:02:13 -0000 Hi, I have a FreeBSD server (A) with 2 NICs Each NIC is connected to a different network: igb0: 10.0.0.10/24 igb1: 10.10.10.10/24 The default gateway on the server is 10.0.0.1 The two networks can communicate using a router (10.0.0.1). I have a server (B) running on 10.10.10.100 which only allows incoming conn= ections from 10.0.0.0/24 (not 10.10.10.0/24). When my FreeBSD server A attempts to connect to server B it uses the closes= t IP and goes through igb1 which is dropped by B. Is there a way to force all (or some) outbound traffic to use igb0? I have attached a small network diagram to illustrate my setup. Thanks, James From owner-freebsd-pf@freebsd.org Thu Oct 27 14:11:41 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E9D0C15FB6 for ; Thu, 27 Oct 2016 14:11:41 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from COL004-OMC4S17.hotmail.com (col004-omc4s17.hotmail.com [65.55.34.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1466C3D6 for ; Thu, 27 Oct 2016 14:11:40 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from IND01-MA1-obe.outbound.protection.outlook.com ([65.55.34.200]) by COL004-OMC4S17.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 27 Oct 2016 07:10:34 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=3+bGdOAK3aTox0NYghDHK53uAhpcHfIZFd06fkBU1H0=; b=nivNRfS6XpShxvs42dQToJG2GK9cggzHQduar1KH0atiphgo5MwO1J1r0Voy2CXvpqLE+VO76iKHTfnitkXyCwboW7dHXGnoK8kv4jS+Ajgjq44hEyHM5b2gM9ueAVt8CIEoPXUNqecjV8vafqi7S90Yi1Yt2vC+yhDJPyqFS1X1VXVftmIvkeqJWql0WOswJcxKXYEE3AX5JgJPwcFWD/8+U7xLRyC508Vek9nGsRODxG1DH/EUeuN0qX5IQ7bfR8225hZETbxf0wIHC57t6cGdggAFbHSasIZTBX942S1aoPw9S4Kt9UwqhqMQ0A/Yfe3lUMeu4Uf5x3ivQhAuPQ== Received: from MA1IND01FT004.eop-IND01.prod.protection.outlook.com (10.152.200.54) by MA1IND01HT007.eop-IND01.prod.protection.outlook.com (10.152.200.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5; Thu, 27 Oct 2016 14:10:23 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM (10.152.200.57) by MA1IND01FT004.mail.protection.outlook.com (10.152.200.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5 via Frontend Transport; Thu, 27 Oct 2016 14:10:23 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) by BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) with mapi id 15.01.0679.015; Thu, 27 Oct 2016 14:10:23 +0000 From: James Morris To: "freebsd-pf@freebsd.org" Subject: Re: Forcing a route using pf Thread-Topic: Forcing a route using pf Thread-Index: AQHSMFptebiwBmt7E0CVr/XEeKg/d6C8VQ4AgAAAHuM= Date: Thu, 27 Oct 2016 14:10:23 +0000 Message-ID: References: , <20161027140324.GH51420@home.opsec.eu> In-Reply-To: <20161027140324.GH51420@home.opsec.eu> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=none action=none header.from=outlook.com; x-tmn: [Uq1/CYBcYofQOwd1lc9yxuuI9qeV9BrX] x-eopattributedmessage: 0 x-microsoft-exchange-diagnostics: 1; MA1IND01HT007; 6:jF61QSPZT0zBne7nV8d0g+Npt5MecyjGevTsbQdUoYdDMkJI59xVViGB37Qc0j8m8JqI27KZ2bLh+v/Nlxi7Q4uXp8qxOwNdCB0VrHOrmVYJzIiwhWBVQGNL9w68rgbxAJoUIZefEYNgZCnnlb5ssgO5Uok637NTv711Qi4GsLi8/idp4u5LZj3zGWy2vQewCqbtaQqg9jmaZKaVAPpgSqcyI7r9q98TflYeSxyeg+150zHjQ+icZq098/bswGqfPUeKDq1Eu7uNTDOj06kv4oTjW3f0ehQmmq+FAUPcd9pIQz3LRbgPs5iWZ5sFxUPT; 5:8+iYuWbvjjFGXBXg6C3pyAuhWCbML/C8QtccVUju4SRn5LpJ0R9k5NLAq6DRPKtY1cb63EckktxgfxgjwxodQeYGn6EOP54Fgtz9iY7onwazw2gLaL2+503lQhOQN7H4/VtPvx+B0DLiA+R07ayccA==; 24:H9ioiLBNYIahyYTgn73h/M+MsRfKC/W8Uv/NGSiaheSDMbXWj/u3992KX7aXW+MTEhcKIC94bWOgox5IIUcSz90UO3+RP6NhWKbr6fCT9Gs=; 7:XCCRtZal6hzOc83AWi0oM/BXoNtRhPzq1ZzrImc+J4RIO2bA3zt16t8mgthjX1HGjv+6wnuo3JiSQ/xcDdXGeJHRMDWgsltG1u8E5WBH3/DwCOAOv2BkwEN44/f/kWZcD2SLhJh4YqImWOYNMhGQnKCDokF/M699qJl3mRVNMjGoRzZvYuVK+T9wc/3OYvS4+YX2scbU6ESbe7qNnDMivLY/5Q+4f9JxZHFQXT2ZtyfsETBsBjshabhELquUC/sbc0VLDC/b0akYH3bb2cCA3sO8tG5USLkyAx9v7gGVen2g3pjDA//yvzaKdlLUwCvN5u56dm3LVhAtzB46Jk3z9CfOBNYoBC/JBYoXB86AMCQ= x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:MA1IND01HT007; H:BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; x-ms-office365-filtering-correlation-id: 11e22814-e742-4227-1f25-08d3fe72fe52 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601124038)(1603103081)(1603101340)(1601125047); SRVR:MA1IND01HT007; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:MA1IND01HT007; BCL:0; PCL:0; RULEID:; SRVR:MA1IND01HT007; x-forefront-prvs: 0108A997B2 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2016 14:10:23.5533 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: MA1IND01HT007 X-OriginalArrivalTime: 27 Oct 2016 14:10:34.0812 (UTC) FILETIME=[E28B8FC0:01D2305B] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 14:11:41 -0000 Yes, I learned that just now. Link: https://imgur.com/gallery/i8EbX [http://i.imgur.com/BXmiWvE.jpg?fb] Diagram imgur.com Imgur: The most awesome images on the Internet. Best, James ________________________________ From: Kurt Jaeger Sent: 27 October 2016 14:03:24 To: James Morris Subject: Re: Forcing a route using pf Hi! > I have attached a small network diagram to illustrate my setup. Put the attachment on some server and send the link. The mailing list software removes attachments. -- pi@opsec.eu +49 171 3101372 4 years to g= o ! From owner-freebsd-pf@freebsd.org Thu Oct 27 14:24:16 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7371C23737 for ; Thu, 27 Oct 2016 14:24:16 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9B89E8F for ; Thu, 27 Oct 2016 14:24:16 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.87 (FreeBSD)) (envelope-from ) id 1bzlbN-000IWz-HY; Thu, 27 Oct 2016 16:24:17 +0200 Date: Thu, 27 Oct 2016 16:24:17 +0200 From: Kurt Jaeger To: James Morris Cc: "freebsd-pf@freebsd.org" Subject: Re: Forcing a route using pf Message-ID: <20161027142417.GI51420@home.opsec.eu> References: <20161027140324.GH51420@home.opsec.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 14:24:16 -0000 Hi! On Server A: route add -host 10.10.10.100 10.0.0.1 On Server B: route add -net 10.0.0.0/24 10.10.10.1 -- pi@opsec.eu +49 171 3101372 4 years to go ! From owner-freebsd-pf@freebsd.org Thu Oct 27 19:25:12 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C685C2368C for ; Thu, 27 Oct 2016 19:25:12 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from COL004-OMC4S10.hotmail.com (col004-omc4s10.hotmail.com [65.55.34.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1359076D for ; Thu, 27 Oct 2016 19:25:11 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from IND01-BO1-obe.outbound.protection.outlook.com ([65.55.34.199]) by COL004-OMC4S10.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 27 Oct 2016 12:24:05 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=BDzr2hm5TPefhqwxShnx6jS6gIqvSxCiNd4X65ocyCA=; b=Hm1WFxW4Pue6aCaYF6eUf3ncYWRsgU98ksZnfum6WG2bDmNPDhtQ/9iEQ2YKuPGUFq9vG/WJr8z3+rYhWLDZumodofGmu3vSFFEy9weRmQdY74rIgKU/UAF/fSbAgKpPAcHS0Hpw+WpgckW0ca2won7D69iO71Bs43NO/E6qeMFXlppsbU47vb9S1sANJXt3awpM+b10GzSkj5tkbfayBY31mAtflC0YiWh11to8RM6NN/1QZV9XIIcMEXU9DR+UOdf9dqQghN5D22Pkii/qhFO+SJ6d4RCO4cermkb1HZiRFx7tMU1gxlhdUdK9dFFxlVIiP1btShdb4Rw4HhTWLg== Received: from BO1IND01FT010.eop-IND01.prod.protection.outlook.com (10.152.202.57) by BO1IND01HT008.eop-IND01.prod.protection.outlook.com (10.152.202.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.629.5; Thu, 27 Oct 2016 19:23:38 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM (10.152.202.54) by BO1IND01FT010.mail.protection.outlook.com (10.152.202.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5 via Frontend Transport; Thu, 27 Oct 2016 19:23:38 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) by BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) with mapi id 15.01.0679.015; Thu, 27 Oct 2016 19:23:38 +0000 From: James Morris To: "freebsd-pf@freebsd.org" Subject: Re: Forcing a route using pf Thread-Topic: Forcing a route using pf Thread-Index: AQHSMFptebiwBmt7E0CVr/XEeKg/d6C8VQ4AgAAAHuOAAAW4gIAAUDo6 Date: Thu, 27 Oct 2016 19:23:38 +0000 Message-ID: References: <20161027140324.GH51420@home.opsec.eu> , <20161027142417.GI51420@home.opsec.eu> In-Reply-To: <20161027142417.GI51420@home.opsec.eu> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=none action=none header.from=outlook.com; x-tmn: [tMUknO/6a0lUjGUlVGu01JaNsSXIP6fA] x-eopattributedmessage: 0 x-microsoft-exchange-diagnostics: 1; BO1IND01HT008; 6:LFNKCA3jYCSsB3WeMkAW9lOkPuMZrHYAtKnRP7szGAmUf+4im/VDp7ZBViHjo6/qv7R2fsIk8PET1BdfrQzpOzdLoHqKKAdOkXKLnSOL22Mc+DUPowOoHIB5/nUN3aWJThxBuo6GjJcyMHAEzjNU3OBpNDc2utUE6lrrYfJcHx0u4OG3ehtpgVaVSOKOLRXmo5imLtdxRmkbhW1hiK2DN/A8x68O/+uJQQI1E00OdFK39wMeGgpUIQlQ10yYq9/52xbAPm8+0uTDYLolCN5HpBJVERzxifBfXQq7hvbjNu4=; 5:YvWpvknjTpDIIWenw98cQbriySDig6NQIigvSHZDdhFT6SY3CIqC8lASr6nTGP942hAk8j5MsXaTgCoYQUJ10dN1+OLlULMAH+TBOlc8++WW48k8RTS9A/KwhHE4Ib6W0pmC7lBz4dDrx/01n1mlGQ==; 24:VuEDpz6L5Ep0yc5Cmf7dp8966E2dJ58LLMpbQcupPY3cT8rwXy1PPzt7w6hpkPfASzh5c0fVB89AL/1bbXhIoHUj/PWAPaR1Tr8Kev18mM4=; 7:cmBtcRIwo3pCeZZPfbjJG02HVp/3avl9c+EGDjigzQZatMUirGwQVIh1iS6Bmat+bekhZiHRcXSePaYn289yubmhRqBjkNeuH7yGk5/o8EuLz9dbvGBiXiHU9MQXiKMjMpIb2FLo4t1X/CMN7s8oGCekG1qale8ZDyYccm0rUy3bfV08IbrbvCE1xlmwXEcuHantGQSy6wvE3hWaEEJCK/LfcxwQny8OKsbfk0BtjStNDNe21VJQkSMK3dim9R5k9/aS2SZmEj9FdHHSWi76xW9mnzPit3jNorKYt4fSgnkGYk5hqcmL2oaLg/+15xjZMJMLwUtqWpGqn7/pzZ58Og== x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:BO1IND01HT008; H:BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; x-ms-office365-filtering-correlation-id: 8246802a-fa82-4bb2-144c-08d3fe9ec0d7 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601124038)(1603103081)(1601125047)(1603101340); SRVR:BO1IND01HT008; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:BO1IND01HT008; BCL:0; PCL:0; RULEID:; SRVR:BO1IND01HT008; x-forefront-prvs: 0108A997B2 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2016 19:23:38.1019 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: BO1IND01HT008 X-OriginalArrivalTime: 27 Oct 2016 19:24:05.0255 (UTC) FILETIME=[AE716170:01D23087] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 19:25:12 -0000 Hi, While this does solve the issue of pushing traffic through igb0, however an= y income connections to igb1 from server B also get shunted out igb0. I was wondering if there is a way to do this in pf. This way I can say for any outbound connections to B use igb0, but if B con= tacts me on igb1 reply with the same IP. Further I could probably restrict outbound by tcp ports too. Thanks for the help. James From: Kurt Jaeger Sent: 27 October 2016 14:24 To: James Morris Cc: freebsd-pf@freebsd.org Subject: Re: Forcing a route using pf =A0 =20 Hi! On Server A: route add -host 10.10.10.100 10.0.0.1 On Server B: route add -net 10.0.0.0/24 10.10.10.1 --=20 pi@opsec.eu=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 +49 171 3101372=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 4 years to go ! = From owner-freebsd-pf@freebsd.org Fri Oct 28 00:13:41 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B526C24CE5 for ; Fri, 28 Oct 2016 00:13:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0B132A46 for ; Fri, 28 Oct 2016 00:13:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u9S0DdtN091461 for ; Fri, 28 Oct 2016 00:13:40 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 196314] pf nested inline anchors does not work Date: Fri, 28 Oct 2016 00:13:39 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: martin.beran@kernun.cz X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2016 00:13:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D196314 Martin Beran changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.beran@kernun.cz --- Comment #2 from Martin Beran --- (In reply to krichy from comment #0) The bug is still present. I tested it in 10.3, but the relevant pfctl code = is the same in head. The single line patch attached to the original PR solves = the problem. Please, could it be committed? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Oct 28 11:22:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8E2AFC24C6B for ; Fri, 28 Oct 2016 11:22:15 +0000 (UTC) (envelope-from patrick@davenulle.org) Received: from sender163-mail.zoho.com (sender163-mail.zoho.com [74.201.84.163]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F20CCFF for ; Fri, 28 Oct 2016 11:22:14 +0000 (UTC) (envelope-from patrick@davenulle.org) Received: from mr185083 (mr185083.univ-rennes1.fr [129.20.185.83]) by mx.zohomail.com with SMTPS id 1477653719190809.3205152673492; Fri, 28 Oct 2016 04:21:59 -0700 (PDT) Date: Fri, 28 Oct 2016 13:21:54 +0200 From: Patrick Lamaiziere To: James Morris Cc: "freebsd-pf@freebsd.org" Subject: Re: Forcing a route using pf Message-ID: <20161028132154.5a094476@mr185083> In-Reply-To: References: <20161027140324.GH51420@home.opsec.eu> <20161027142417.GI51420@home.opsec.eu> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.3) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2016 11:22:15 -0000 Le Thu, 27 Oct 2016 19:23:38 +0000, James Morris a écrit : Hi, Hello, > > While this does solve the issue of pushing traffic through igb0, > however any income connections to igb1 from server B also get shunted > out igb0. > > I was wondering if there is a way to do this in pf. see PF route-to option. Regards, From owner-freebsd-pf@freebsd.org Sat Oct 29 10:15:03 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6772C25FB7 for ; Sat, 29 Oct 2016 10:15:03 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from COL004-OMC1S9.hotmail.com (col004-omc1s9.hotmail.com [65.55.34.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 863875F7 for ; Sat, 29 Oct 2016 10:15:03 +0000 (UTC) (envelope-from jamesmorris8@outlook.com) Received: from IND01-MA1-obe.outbound.protection.outlook.com ([65.55.34.9]) by COL004-OMC1S9.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sat, 29 Oct 2016 03:14:56 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6c3rx3UQTWnP/K15IklU5jiNFfAy7ExZkXMaX+IS3C4=; b=gidSiY6olbnv2Pfr78Qku67LA+yjP3PdKR4duSWne29XfSiTfR8mwldQhLdTP42ljoPVvBAe/7ruukD+ZZ+hRqCFVJ7fLPkTesalYWdK3XtBihA9Zu9CfKCCpy1XThhcmY3DF5p0sU5wSS0TI8UZUwr087cJ4vlmuD4iStMixyh1PToZkExtKavzF9mXuSbl5LrNPxEfaSBtg8LMmpRcqvetN6A+tbhp3jIktgM/JLjIvO1lk115A6p16gzUtG2xxYpHm/36jmNfJyWdlC0IHSK4uBjrQlhcqUz5QlVPie5VfxrsTvbD0HqBekZKA+HTLgVxqy3YN5bVVaRK8hMjAw== Received: from MA1IND01FT004.eop-IND01.prod.protection.outlook.com (10.152.200.51) by MA1IND01HT005.eop-IND01.prod.protection.outlook.com (10.152.200.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5; Sat, 29 Oct 2016 10:14:54 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM (10.152.200.52) by MA1IND01FT004.mail.protection.outlook.com (10.152.200.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5 via Frontend Transport; Sat, 29 Oct 2016 10:14:53 +0000 Received: from BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) by BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM ([10.164.129.147]) with mapi id 15.01.0679.018; Sat, 29 Oct 2016 10:14:53 +0000 From: James Morris To: Patrick Lamaiziere CC: "freebsd-pf@freebsd.org" Subject: Re: Forcing a route using pf Thread-Topic: Forcing a route using pf Thread-Index: AQHSMFptebiwBmt7E0CVr/XEeKg/d6C8VQ4AgAAAHuOAAAW4gIAAUDo6gAEPJgCAAX6/tQ== Date: Sat, 29 Oct 2016 10:14:53 +0000 Message-ID: References: <20161027140324.GH51420@home.opsec.eu> <20161027142417.GI51420@home.opsec.eu> , <20161028132154.5a094476@mr185083> In-Reply-To: <20161028132154.5a094476@mr185083> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=none action=none header.from=outlook.com; x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [1Vc8nbtX9WLvOLwd1cgzAn4B7muuGXpKLRTsPgxn4Ew=] x-eopattributedmessage: 0 x-microsoft-exchange-diagnostics: 1; MA1IND01HT005; 6:jedNjJEAYjb9yO2QcGs0fU0pr/oZ9nRnmGkpXEd+kZ9vx4hmnFfgVn5jv5dCrdMfH0cWiPyGwtehWsNasGvOXTR4wu4mp4wiVcFc17miwsPNQp3IfmIzsOUyoy5ABT5HdIkYzKD6IDkUQlm3vlosoHyo85GoaFpAD1q4s6GP1DYX4JKvC9cElkbIFzDRCJ2aDH0HOW30ZKbL8C9115WiNHPMWYNGtXE9clqkcjkVGflDZ5qVIHykIyMHrwAI1mc9QAxUcA5DPk6FHsbz6PiLXYRrdkkS5OxRarQHU8rAF8+WjRtIe5n1WZuJ1rbWveE6; 5:rksdbpFUPA0A9T/d8b/ioQTkuncJCRhex3bPScN8NNtS9Ww+1i4Nye3DJKBnd601tInvwqORm6Mc5jZQGGdGidj5HJ0T2wihg7bWqWbnElvEp90g2svIchNCZmV0H3WDcrzsr1ypcrAA9BpMlVuVJUzRcKVFYapMTyr9XIQvxJQ=; 24:l8X1BPiyGOO3DrkmHNr3AfC26E1WJVDqd3yyMcWZ9GKmHgKeIaZVYZ1b1x+AX/NOxDQrJ45MtIMuWYdUcuwavFNwzOwWIPw+14GV6Cc1WCU=; 7:vCYL8A+WPrHdHN82bk1uXaktjt98wYLM3eAtBubDBKmMSrhpZC8SMidaTqdarcJrFPBBKgv8cyastvbRYApxF9jlRoIwmAN/O7hW8jR0KoGgFKqXABbW4URMJ/rQJBJUbFuRKPNkqOySUVW8pDgu7K7vtBxyHfg9wCE+BlhRSMxUsebS+A8cw1xN9UP7SnH/X3nb2Lf5vvI6Eb6y5AP7qhSV9dXCBHuDf8jlKzo8ywBVwOF1JvZu7uyVVn/P8dS6dHVwebpTQ/jX3T+wRb7RUG9i4on/Hn/XLPx/kdQ/5xEX/mPDk45OU7Jy4JHXNQa0ZBYGMc5m18jAx0WRtQwqkgfzpTUYSqJ0PMQrHdkQmZg= x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:MA1IND01HT005; H:BM1PR01MB0209.INDPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; x-ms-office365-filtering-correlation-id: 1ef26c52-65ec-4bca-77a3-08d3ffe46d13 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601124038)(1603103081)(1603101340)(1601125047); SRVR:MA1IND01HT005; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:MA1IND01HT005; BCL:0; PCL:0; RULEID:; SRVR:MA1IND01HT005; x-forefront-prvs: 01106E96F6 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Oct 2016 10:14:53.4938 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: MA1IND01HT005 X-OriginalArrivalTime: 29 Oct 2016 10:14:56.0287 (UTC) FILETIME=[4C275AF0:01D231CD] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2016 10:15:03 -0000 Hi, I added the pf rule: pass out on igb1 route-to ( igb0 10.0.0.1 ) from any to 10.10.10.100 But now when I try to reach 10.10.10.100 traffic goes out igb0 as expected,= but it has the source IP of igb1 # ping 10.10.10.100 # tshark -i igb0 Capturing on 'igb0' 1 0.000000 10.10.10.10 -> 10.10.10.100 ICMP 98 Echo (ping) request id= =3D0xb403, seq=3D0/0, ttl=3D64 2 0.001509 RealtekU_12:35:02 -> Broadcast ARP 60 Who has 10.10.10.10= ? Tell 10.0.0.1 3 1.020896 10.10.10.10 -> 10.10.10.100 ICMP 98 Echo (ping) request id= =3D0xb403, seq=3D1/256, ttl=3D64 4 1.022268 RealtekU_12:35:02 -> Broadcast ARP 60 Who has 10.10.10.10= ? Tell 10.0.0.1 Traffic is flowing out the correct interface, but has the wrong source IP a= ddress. What am I doing wrong here? Thanks, James From: Patrick Lamaiziere Sent: 28 October 2016 11:21 To: James Morris Cc: freebsd-pf@freebsd.org Subject: Re: Forcing a route using pf =A0 =20 Le Thu, 27 Oct 2016 19:23:38 +0000, James Morris a =E9crit : Hi, Hello, >=20 > While this does solve the issue of pushing traffic through igb0, > however any income connections to igb1 from server B also get shunted > out igb0. >=20 > I was wondering if there is a way to do this in pf. see PF route-to option. Regards, =