From owner-freebsd-pf@FreeBSD.ORG Wed Feb 3 02:59:59 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8BCE106568B for ; Wed, 3 Feb 2010 02:59:59 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by mx1.freebsd.org (Postfix) with ESMTP id 5B09D8FC0C for ; Wed, 3 Feb 2010 02:59:59 +0000 (UTC) Received: by qw-out-2122.google.com with SMTP id 8so195782qwh.7 for ; Tue, 02 Feb 2010 18:59:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; bh=pTyQaoAMntBe/rSardiu4Ex8o1VE4PhJV2xzU0KgH50=; b=wLXiGLob/TIlUrLFVJqh5v4V8CHJhb/Es7BAzj573iAnTFqu1Idr8plGJgwhSWoA7o Epo26tVUUtKyLbndaxOiOlIuCmn9a3ZxlB4fSpdK5l32GR7jo+rHywWVGB5kjNh4i26D 7kWKXdDQ640pNtLCN1F7yiwCp9NjRrtSY26Zo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=RxNJRFs/gxbAMlVYf+0d2OOUAmbJ+QATIZnkQZe2iop0KYRVMQPLBa2Ru5mTnLHeYI 2Nzx3Qu5r1KazWwZ3xa6jAegvG8MJn5lK5kbZesZG6okRyqQJVXG4wwt1HN8eMervrdg Ma0oRDO/8mNGyeLxdnY2NsGb65EGb2yPtjG+Y= Received: by 10.229.131.153 with SMTP id x25mr2951598qcs.23.1265165998454; Tue, 02 Feb 2010 18:59:58 -0800 (PST) Received: from ppp-19.189.dialinfree.com (ppp-19.189.dialinfree.com [209.172.19.189]) by mx.google.com with ESMTPS id 4sm24333779qwe.53.2010.02.02.18.59.53 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 02 Feb 2010 18:59:57 -0800 (PST) Sender: "J. Hellenthal" Date: Tue, 2 Feb 2010 21:59:34 -0500 From: jhell To: Stefan In-Reply-To: <4B6866D5.4060405@gmail.com> Message-ID: References: <4B6866D5.4060405@gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: toute-to on lo0 not working? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2010 02:59:59 -0000 On Tue, 2 Feb 2010 12:54, stefanferreira@ wrote: > Hi > > In my quest to route traffic originating on the freebsd machine, I've managed > to loop back outbound traffic via lo0 so that I can try and route it inbound > on lo0 (pf can't apply route-to logic to outbound traffic; by then it's to > late to try and route it over a different interface). > > The loopback works when I switch off skip on lo0, and pass all lo0 traffic, > so that traffic is definitely processed by pf. I also know the looping works, > because when I try to ping an outside IP, I get a response that the TTL has > been exceeded, and traceroute shows repeating entries of 127.0.0.1 (in other > words, the packets jost loop back through the pf box repeatedly till their > TTL is exceeded). > > The problem is the moment I change my rule to try and route the inbound > traffic on lo0, the packets just seem to go nowhere. They are not routed > correctly and I can't tell what happens to them. In the ruleset below, > enabling the second rule results in the packets looping back to the pf box > repeatedly, and the first rule results in the packets "disappearing". The > only difference is the route-to statement, which works for all traffic > originating elsewhere on the lan. > > #pass in quick on lo0 route-to (adsl-int0 196.210.140.129) from any to ! > $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label zSA_Local tag zSA_Local > #pass in quick on lo0 from any to ! $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label > zSA_Local tag zSA_Local > pass out quick all $KEEPSTATE tagged zSA_Local > pass quick on lo0 > > Please help! I really need to route traffic originating on the pf box via pf, > and not via rtables! > Have you tried implementing "binat" and possibly making use of rdr while using some tables to hold your addresses and subnets ? # BINAT # Translate outgoing packets' source address (any protocol). # Translate incoming packets' destination address to an internal machine # (bidirectional). binat on $ext_if from 10.1.2.150 to any -> $ext_ifA you could change that to: binat on $ext_if from to any -> $ext_ifA Looping traffic that is originating internally back around to a loopback interface is not going to solve this, and it will cause you a lot more frustration. Best of luck. -- jhell