From owner-freebsd-pf@FreeBSD.ORG Mon Feb 8 11:07:02 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 156AC10656C4 for ; Mon, 8 Feb 2010 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 04E4F8FC21 for ; Mon, 8 Feb 2010 11:07:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o18B71Fu087466 for ; Mon, 8 Feb 2010 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o18B71iF087464 for freebsd-pf@FreeBSD.org; Mon, 8 Feb 2010 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Feb 2010 11:07:01 GMT Message-Id: <201002081107.o18B71iF087464@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2010 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 42 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Feb 8 18:15:27 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 984711065694 for ; Mon, 8 Feb 2010 18:15:27 +0000 (UTC) (envelope-from mauduro@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.24]) by mx1.freebsd.org (Postfix) with ESMTP id 20BA18FC14 for ; Mon, 8 Feb 2010 18:15:26 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 22so1321090eye.9 for ; Mon, 08 Feb 2010 10:15:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=JH+e47yhFVtkB0auJtfPwYAWff0gL/YYgFd+aQINOAI=; b=khWuR5pG5chTzV8tFbD1ZmorkPK5nwiiWriKIN8iy3qpTOROXH/vNR/swYvnC2nn3a x1OJv5Zsf6ru11yeQR9nbpZEaF9unuhPszuDUiORNaysfDwipGuWnBKjuok/k/KAQFcB Hti+Ua0kJDsRXUdZMaN1B6GKQCtOEDKdo+Zhk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=cO21Tupy35i663NA8/Y4eXb6hnZyG4gu5S16BMWaIA6uwb1nM6us9Jfx7GYIb7q5gy gC+iPnFnFDvau5SpQu0TmXKLCu8sH3XRox1++dXAIzEUnrzA38muiO/NlNQvJi9g3H7J c2OeygT9X7fkV5DXdzbgL4erG+HGVTFtb2KhI= MIME-Version: 1.0 Received: by 10.216.90.203 with SMTP id e53mr3937742wef.28.1265652925556; Mon, 08 Feb 2010 10:15:25 -0800 (PST) In-Reply-To: References: <7731938b1002051647y78be2d0dq56ac8f3c39d993e@mail.gmail.com> Date: Mon, 8 Feb 2010 11:15:24 -0700 Message-ID: From: Maurice To: jhell Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: using pf to NAT with only one NIC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2010 18:15:27 -0000 On Fri, Feb 5, 2010 at 10:09 PM, jhell wrote: > > On Fri, 5 Feb 2010 19:47, peter@ wrote: > >> Hi Maurice, >> >> Yes, you can do it without much difficulty and I've got my server >> setup in that manner: there's about twenty separate jails that can >> access the internet via specific NAT rules and incoming services >> handled via RDR rules. Note: you won't be able to ping from a jail, >> unless you want to allow your jailed processes to create raw sockets >> (you don't) :-) >> >> There's probably many ways it can be done, but what I did was something >> like: >> >> >> i) create a second loopback interface, lo1 (c.f. cloned interfaces) >> and assign appropriate alias netblocks for your jails on that >> interface; >> >> >> ii) create your pf.conf, set skip on lo0 but not the external or lo1 >> interface; >> >> >> iii) I'd set "set state-policy if-bound" so you know what's going on; >> >> >> iv) don't use the antispoof keyword, it will make a mess in this >> situation; >> >> >> v) setting up bind to handle local dns resolution is a good idea - >> point your jails towards this and you'll need to add in an appropriate >> rule(s) later on; >> >> >> vi) setup outgoing nat rules, e.g. >> >> nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port >> smtp -> $ext_ip >> >> >> vii) setup incoming services, e.g. >> >> rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail >> port smtp >> >> >> viii) put in pass rules to allow nat out and rdr in; remember NAT is >> done first, so your outgoing packets ALL have source IP of the >> external IP now and not the jail IP >> >> pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags >> S/SA modulate state >> pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp >> flags S/SA modulate state >> >> >> ix) allow jail implicit access to itself >> >> pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to >> $int_ip_mail flags S/SA keep state >> >> >> x) add in rules to allow any interjail communication as needed >> (remember the incoming/outgoing packets appear the other way round >> here - use tcpdump to check if in doubt) >> >> >> If you have any problems, run tcpdump in a serarate terminal window to >> determine what's going on. >> >> >> Peter >> >> >> >> >> >> >> On 5 February 2010 22:53, Maurice wrote: >> >>> Hi, >>> >>> I have been looking for a couple days now, with no luck, for some >>> direction >>> as to whether I can successfully configure my freebsd to NAT with only >>> one >>> NIC. This is because I am setting up my system to jail my webserver, and >>> I >>> don't think I can get it to work without NATting it. If you have an >>> alternate solution that would be great too. This is what my pf.conf looks >>> like right now: >>> >>> >>> # $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/04/15 >>> 03:14:26 kensmith Exp $ >>> # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ >>> # >>> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. >>> # Remember to set net.inet.ip.forwarding=1 and/or >>> net.inet6.ip6.forwarding=1 >>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces. >>> >>> block in all >>> block out all >>> >>> ext_if="fxp0" >>> #int_if="int0" >>> all_if="{fxp0, lo0}" >>> >>> #Internal network subnet >>> int_net="10.0.0.0/32" >>> >>> #name and IP of webserver >>> APACHE="10.0.0.1" >>> >>> #table persist >>> >>> set skip on lo >>> >>> scrub in >>> >>> #nat-anchor "ftp-proxy/*" >>> #rdr-anchor "ftp-proxy/*" >>> #nat on $ext_if from !($ext_if) -> ($ext_if:0) >>> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 >>> #no rdr on $ext_if proto tcp from to any port smtp >>> #rdr pass on $ext_if proto tcp from any to any port smtp \ >>> # -> 127.0.0.1 port spamd >>> >>> #anchor "ftp-proxy/*" >>> #pass out >>> >>> #pass quick on $int_if no state >>> #antispoof quick for { lo $int_if } >>> block in quick from urpf-failed >>> >>> pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state >>> rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80 >>> nat on $ext_if from $APACHE to any -> fxp0 >>> >>> > Your placement of nat and redirect rules are a little bit worrisome. > pf.conf as stated by its manual page is ordered (see following) > > # [Macros] i.e. variable=lo1 # [Options] i.e. set etc.. etc.. > # [Normalization] i.e. scrub > # [Queuing] i.e. ALTQ > # [Translation] i.e. NAT RDR etc... > # [Filtering] i.e. pass & block rules > > Beware that there is quite the change for rule-sets ahead if the newer > version of pf that is in the works for OpenBSD ever makes it downstream to > FreeBSD. > > I Personally do not know if the way you have your rule-set configured would > cause any havoc with NAT since you have it mingled between filtering rules > but it would be good practice to stick to whats already drawn in the manual > page. > > Best of luck. > > > #pass in log on $ext_if proto tcp to ($ext_if) port smtp >>> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp >>> >>> That doesn't seem to be doing the trick, since I can't ping and DNS won't >>> resolve anything from within the jail (APACHE). I am going off some >>> examples >>> I found that would seem to suggest it is possible with only one NIC, but >>> I >>> can't seem to get it to work. Any help/advice would be greatly >>> appreciated. >>> >>> thanks, >>> >>> Maurice >>> >> >> > -- > > jhell > Thank you for your instructions, gentlemen. I will do my best to follow them. This is my first stab at setting up a UNIX box, so thank you for your patience as well! regards, From owner-freebsd-pf@FreeBSD.ORG Thu Feb 11 22:58:07 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B11331065670 for ; Thu, 11 Feb 2010 22:58:07 +0000 (UTC) (envelope-from dgeo@centrale-marseille.fr) Received: from melo.ec-m.fr (melo.ec-m.fr [147.94.19.139]) by mx1.freebsd.org (Postfix) with ESMTP id 6E32C8FC08 for ; Thu, 11 Feb 2010 22:58:07 +0000 (UTC) Received: from localhost (amavis4.serv.int [10.3.0.48]) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTP id 4BBAFAC896; Thu, 11 Feb 2010 23:39:54 +0100 (CET) X-Virus-Scanned: amavisd-new at centrale-marseille.fr Received: from melo.ec-m.fr ([10.3.0.13]) by localhost (amavis4.serv.int [10.3.0.48]) (amavisd-new, port 10024) with LMTP id EZuVHNo8N2cN; Thu, 11 Feb 2010 23:39:48 +0100 (CET) Received: from [10.0.5.14] (unknown [10.0.5.14]) (Authenticated sender: dgeo) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTPSA id 8E2B7AC894; Thu, 11 Feb 2010 23:39:48 +0100 (CET) Message-ID: <4B748700.70409@centrale-marseille.fr> Date: Thu, 11 Feb 2010 23:38:56 +0100 From: geoffroy desvernay User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090707) MIME-Version: 1.0 To: Albert Shih References: <20100205123254.GN11310@obspm.fr> In-Reply-To: <20100205123254.GN11310@obspm.fr> X-Enigmail-Version: 0.95.0 OpenPGP: id=7C253D52 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigF08A8D6BCEF39083733F24BD" Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2010 22:58:07 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF08A8D6BCEF39083733F24BD Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Albert Shih a =E9crit : > Hi all, >=20 > I've a problem with route-to. >=20 > I've a server with 2 interfaces, and I'm running jail on this server. E= ach > interface have is own public IP address. >=20 > eth0 -- IP0 eth1 -- IP1 >=20 > and I've a default route (for example in IP0 subnet). >=20 > So if the jail is in the IP0 subnet no problem everything work. >=20 > Now if I put a jail in IP1 subnet, and some client try to connect to th= is > jail the answer come out through eth0 because of the default route (sup= pose > the client is not on my subnet). >=20 > I don't want that. I want the answer come out through the eth1 >=20 > I'm trying to use pf to do that and put in my pf.conf something like=20 >=20 > pass in all > pass out all > pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_subn= et > pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_subn= et >=20 > but it's not working, if I run a tcpdump on the host I can see the > incoming packet come in from eth1 and the outgoing come out on eth0.=20 >=20 > And if I try do remove default route the outgoing packet don't come out= =2E... >=20 > Any help ?=20 >=20 > Regards. >=20 >=20 Hi, I'm using that for the same case: You just have to catch packets on the interface they would go normally: pass out on *eth0* route-to {(eth1 IP1_Gateway)} from to !eth1:netw= ork The other rule is not needed in this case You may also try instead a 'reply-to' rule on eth1's inbound, as David DeSimone suggested. A third and cleaner solution would be to use multiple routing-tables - see setfib(1) and 'options ROUTETABLES' of the kernel... HTH --=20 *Geoffroy Desvernay* C.R.I - Administration syst=E8mes et r=E9seaux Ecole Centrale de Marseille --------------enigF08A8D6BCEF39083733F24BD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJLdIcDAAoJEC0NWrh8JT1S7DcH/jHajcn6ik1Xa6Kt+qM2jdVA NYF6+DW/jWuxs8/QdkX6wv3uUONGmVnmxDbdMchKG+cWHCxQz15rM1CGXtKnP/cf SwGDo8HxHLSX9pBrJ+9NNNn1cFuA5RC5f8RZAV23vDbaIWVL10VEymTKq2v94P0j UJ9hP1mCGwpfVhasDt2b0ToTev+3dubRcS8axExANKpcNnn5sCNP1lt9Ckr/CGY4 rrVP68OsThER+9NIUQKvY8cHqm1aAnxFUicFrLEKW6ah9b3LQsj4WhnIc7YMjMYp 5pmnDvtdZUh+FreRdHzMTxrhw4TFGiuPOkd0XKRGxuS0/+NKGS4Jzy1sa2xdXiM= =5U3n -----END PGP SIGNATURE----- --------------enigF08A8D6BCEF39083733F24BD-- From owner-freebsd-pf@FreeBSD.ORG Fri Feb 12 16:44:59 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70BD7106566C for ; Fri, 12 Feb 2010 16:44:59 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from smtp-int-m.obspm.fr (smtp-int-m.obspm.fr [145.238.187.15]) by mx1.freebsd.org (Postfix) with ESMTP id 0B8AD8FC1C for ; Fri, 12 Feb 2010 16:44:58 +0000 (UTC) Received: from obspm.fr (pcjas.obspm.fr [145.238.184.233]) by smtp-int-m.obspm.fr (8.14.3/8.14.3/SIO Observatoire de Paris - 07/2009) with ESMTP id o1CGis6R025565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 12 Feb 2010 17:44:55 +0100 Date: Fri, 12 Feb 2010 17:44:54 +0100 From: Albert Shih To: geoffroy desvernay Message-ID: <20100212164454.GA23456@obspm.fr> References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4B748700.70409@centrale-marseille.fr> User-Agent: Mutt/1.5.20 (2009-06-14) X-Miltered: at smtp-int-m.obspm.fr with ID 4B758586.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 4B758586.000/145.238.184.233/pcjas.obspm.fr/obspm.fr/ X-j-chkmail-Score: MSGID : 4B758586.000 on smtp-int-m.obspm.fr : j-chkmail score : . : R=. U=. O=. B=0.007 -> S=0.007 X-j-chkmail-Status: Ham Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Feb 2010 16:44:59 -0000 Le 11/02/2010 à 23:38:56+0100, geoffroy desvernay a écrit > Albert Shih a écrit : > > Hi all, > > > > I've a problem with route-to. > > > > I've a server with 2 interfaces, and I'm running jail on this server. Each > > interface have is own public IP address. > > > > eth0 -- IP0 eth1 -- IP1 > > > > and I've a default route (for example in IP0 subnet). > > > > So if the jail is in the IP0 subnet no problem everything work. > > > > Now if I put a jail in IP1 subnet, and some client try to connect to this > > jail the answer come out through eth0 because of the default route (suppose > > the client is not on my subnet). > > > > I don't want that. I want the answer come out through the eth1 > > > > I'm trying to use pf to do that and put in my pf.conf something like > > > > pass in all > > pass out all > > pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_subnet > > pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_subnet > > > > but it's not working, if I run a tcpdump on the host I can see the > > incoming packet come in from eth1 and the outgoing come out on eth0. > > > > And if I try do remove default route the outgoing packet don't come out.... > > > > Any help ? > > > > Regards. > > Lots of thanks for your answer. > > You just have to catch packets on the interface they would go normally: > > pass out on *eth0* route-to {(eth1 IP1_Gateway)} from to !eth1:network > > The other rule is not needed in this case > > You may also try instead a 'reply-to' rule on eth1's inbound, as David > DeSimone suggested. OK now it's working. But I have some big trouble about the bandwith. Now when I try to do something like a scp, or ftp or wget from inside a jail to outside, everything work fine. The traffic go to right interface, the answer too. But when I try to do some network connection (ssh, scp etc..) from outside to a jail the bandwith is catastrophic (~40kB/s on 1Gbit/s). And for you ? > > A third and cleaner solution would be to use multiple routing-tables - > see setfib(1) and 'options ROUTETABLES' of the kernel... I already try this, I don't known how to make it work. I'm going to try again. Regards. Thanks again. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Téléphone : 01 45 07 76 26/06 86 69 95 71 Heure local/Local time: Ven 12 fév 2010 17:41:22 CET From owner-freebsd-pf@FreeBSD.ORG Sat Feb 13 08:12:27 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D213E106566B for ; Sat, 13 Feb 2010 08:12:27 +0000 (UTC) (envelope-from dgeo@centrale-marseille.fr) Received: from melo.ec-m.fr (melo.ec-m.fr [147.94.19.139]) by mx1.freebsd.org (Postfix) with ESMTP id 7FA058FC0C for ; Sat, 13 Feb 2010 08:12:27 +0000 (UTC) Received: from localhost (amavis3.serv.int [10.3.0.47]) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTP id D1559AC930; Sat, 13 Feb 2010 09:12:24 +0100 (CET) X-Virus-Scanned: amavisd-new at centrale-marseille.fr Received: from melo.ec-m.fr ([10.3.0.13]) by localhost (amavis3.serv.int [10.3.0.47]) (amavisd-new, port 10024) with LMTP id BRpfp1z1s+PF; Sat, 13 Feb 2010 09:12:19 +0100 (CET) Received: from [10.0.5.14] (unknown [10.0.5.14]) (Authenticated sender: dgeo) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTPSA id 41EA0AC92A; Sat, 13 Feb 2010 09:12:19 +0100 (CET) Message-ID: <4B765EAC.9020201@centrale-marseille.fr> Date: Sat, 13 Feb 2010 09:11:24 +0100 From: geoffroy desvernay User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090707) MIME-Version: 1.0 To: Albert Shih References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr> <20100212164454.GA23456@obspm.fr> In-Reply-To: <20100212164454.GA23456@obspm.fr> X-Enigmail-Version: 0.95.0 OpenPGP: id=7C253D52 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig38FD68699B063E8A44B90C6D" Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 08:12:28 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig38FD68699B063E8A44B90C6D Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Albert Shih a =E9crit : > Le 11/02/2010 =E0 23:38:56+0100, geoffroy desvernay a =E9crit >> Albert Shih a =E9crit : >>> Hi all, >>> >>> I've a problem with route-to. >>> >>> I've a server with 2 interfaces, and I'm running jail on this server.= Each >>> interface have is own public IP address. >>> >>> eth0 -- IP0 eth1 -- IP1 >>> >>> and I've a default route (for example in IP0 subnet). >>> >>> So if the jail is in the IP0 subnet no problem everything work. >>> >>> Now if I put a jail in IP1 subnet, and some client try to connect to = this >>> jail the answer come out through eth0 because of the default route (s= uppose >>> the client is not on my subnet). >>> >>> I don't want that. I want the answer come out through the eth1 >>> >>> I'm trying to use pf to do that and put in my pf.conf something like = >>> >>> pass in all >>> pass out all >>> pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_su= bnet >>> pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_su= bnet >>> >>> but it's not working, if I run a tcpdump on the host I can see the >>> incoming packet come in from eth1 and the outgoing come out on eth0. = >>> >>> And if I try do remove default route the outgoing packet don't come o= ut.... >>> >>> Any help ?=20 >>> >>> Regards. >>> > Lots of thanks for your answer.=20 >=20 >> You just have to catch packets on the interface they would go normally= : >> >> pass out on *eth0* route-to {(eth1 IP1_Gateway)} from to !eth1:n= etwork >> >> The other rule is not needed in this case >> >> You may also try instead a 'reply-to' rule on eth1's inbound, as David= >> DeSimone suggested. >=20 > OK now it's working. But I have some big trouble about the bandwith.=20 >=20 > Now when I try to do something like a scp, or ftp or wget from inside a= > jail to outside, everything work fine. The traffic go to right interfac= e, > the answer too.=20 >=20 > But when I try to do some network connection (ssh, scp etc..) from outs= ide > to a jail the bandwith is catastrophic (~40kB/s on 1Gbit/s).=20 >=20 > And for you ?=20 >=20 Using this kind of setup since at least two years for ~500 real users without complains... (three different 'ssh jails' on the same machine with many vlans and three "default" gateways) >> A third and cleaner solution would be to use multiple routing-tables -= >> see setfib(1) and 'options ROUTETABLES' of the kernel... >=20 > I already try this, I don't known how to make it work. I'm going to try= > again.=20 >=20 I'm also planning to test this... since more than a year :-| --=20 *Geoffroy Desvernay* C.R.I - Administration syst=E8mes et r=E9seaux Ecole Centrale de Marseille --------------enig38FD68699B063E8A44B90C6D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJLdl6vAAoJEC0NWrh8JT1SPqkIAKTRkc4ovBe4QUp43f7FWnpm lcJ4sn0WbYV5/0SopT24GxVShRpf9dcsKB3BUW0UxzZJrEhq3FLSlTUfx+if3T9T /1eYClP3UYSlloRkJBgeDZebecgk0I6qcHPlJEVMRhzY96n3Q8qhOtOdyugw84dW I42pMr2166KQoW12vSqQNl6c73Z82yBD9cnLNxDWs5paQ9uBZdrHUoDUx8biqSUo /5OvDTk0I7GZl/pv1Of+Q5x/ThFZzupAoq7Z+8GX8II79LMtZxsQ9PBrqXh7a9gv 86eaUa/yL5Iz4oVyiIuE1y7IZL7HWORVNfrQu8dYvxTbQ3zMkDOvu6g71Fv2JDg= =feiM -----END PGP SIGNATURE----- --------------enig38FD68699B063E8A44B90C6D-- From owner-freebsd-pf@FreeBSD.ORG Sat Feb 13 11:49:11 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EA68106566B for ; Sat, 13 Feb 2010 11:49:11 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from mail-px0-f180.google.com (mail-px0-f180.google.com [209.85.216.180]) by mx1.freebsd.org (Postfix) with ESMTP id 323F08FC1B for ; Sat, 13 Feb 2010 11:49:10 +0000 (UTC) Received: by pxi10 with SMTP id 10so1813606pxi.13 for ; Sat, 13 Feb 2010 03:49:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=QpJTkoUlLlcvKvi89IsxDB/HyxVmZdbqakcid6wLXmo=; b=myJTze5a6MG9yH9xV3SItFxIUHnqBGmhCyPlN+XMt2VlSupZIWUZrkowPpxGWO+kZ8 MSEIzWVCX3QRQqG36ECWOoewPsGGmGYbfzr3mQ6zLy1iRn0gO07zCifDv6WIwL5MItJX lS15ju+W924etLSvVLZKbzG1HKPTHEDNvrXa4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Bg/q/hISlPuJ+fPoAFxK7APjmzcy4hCmX3/WGgro7IV6NXwPA1YZbCp54nmJMsOcYu V276A5ovII8EjddA6NK9+qzjwcDm/3Jh1K9fYCsrFnOUwzpPEk2DWetGOsE0eIFXJySD tXWZi39FjuFOIfyaM+UOAOcZdIzD06K0k9eF4= MIME-Version: 1.0 Received: by 10.142.55.16 with SMTP id d16mr1762967wfa.166.1266059960903; Sat, 13 Feb 2010 03:19:20 -0800 (PST) In-Reply-To: <4B748700.70409@centrale-marseille.fr> References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr> Date: Sat, 13 Feb 2010 05:19:20 -0600 Message-ID: <11167f521002130319h42e131bbic432b4122773d383@mail.gmail.com> From: "Sam Fourman Jr." To: geoffroy desvernay Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Albert Shih , freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 11:49:11 -0000 On Thu, Feb 11, 2010 at 4:38 PM, geoffroy desvernay wrote: > Albert Shih a =E9crit : >> Hi all, >> >> I've a problem with route-to. >> >> I've a server with 2 interfaces, and I'm running jail on this server. Ea= ch >> interface have is own public IP address. >> >> =A0 =A0 =A0 eth0 -- IP0 =A0 =A0 =A0 =A0 =A0 =A0 eth1 -- IP1 >> >> and I've a default route (for example in IP0 subnet). >> >> So if the jail is in the IP0 subnet no problem everything work. >> >> Now if I put a jail in IP1 subnet, and some client try to connect to thi= s >> jail the answer come out through eth0 because of the default route (supp= ose >> the client is not on my subnet). >> >> I don't want that. I want the answer come out through the eth1 >> >> I'm trying to use pf to do that and put in my pf.conf something like >> >> pass in all >> pass out all >> pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_subne= t >> pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_subne= t >> >> but it's not working, if I run a tcpdump on the host I can see the >> incoming packet come in from eth1 and the outgoing come out on eth0. >> >> And if I try do remove default route the outgoing packet don't come out.= ... >> >> Any help ? >> >> Regards. >> >> > Hi, > > I'm using that for the same case: > > You just have to catch packets on the interface they would go normally: > > pass out on *eth0* route-to {(eth1 IP1_Gateway)} from to !eth1:netw= ork > > The other rule is not needed in this case > > You may also try instead a 'reply-to' rule on eth1's inbound, as David > DeSimone suggested. > > A third and cleaner solution would be to use multiple routing-tables - > see setfib(1) and 'options ROUTETABLES' of the kernel... I have searched the net high and low and I can not find any good examples on how to use multiple routing tables. I agree that it would be cleaner do you have a example of how to do this? if anyone has links to examples for Multiple routing tables examples post them please. Sam Fourman Jr. Sam Fourman Jr. From owner-freebsd-pf@FreeBSD.ORG Sat Feb 13 18:27:08 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D22F1065670 for ; Sat, 13 Feb 2010 18:27:08 +0000 (UTC) (envelope-from whereisalext@gmail.com) Received: from mail-pz0-f184.google.com (mail-pz0-f184.google.com [209.85.222.184]) by mx1.freebsd.org (Postfix) with ESMTP id DAF168FC08 for ; Sat, 13 Feb 2010 18:27:07 +0000 (UTC) Received: by pzk14 with SMTP id 14so4035177pzk.3 for ; Sat, 13 Feb 2010 10:27:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=bmx6ORwXZdEDADed3Aa7Hto2Mycs+ODZ/DFOI436Weg=; b=ap5hKZcDSpYPvcujHb0cx5V7bfjuVD6YSJrP/mxwj9w/6jQhtEJYIoCJIrkJ3qap5e HKvY7cRGXn1dhynTKZ/Mt/njIvBD97UoHPM8l5kFi6Cw8nkpYJfNk3hoFuHNdzlVzxSO j8JzanEWW2Uxc+uOHoxQnkFdw2ea+xjVse/pg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=oitfj/E9kayppnLwfUXdBGu01xUhJmcYK7NWP0d2aCzrQjDokisAPLo6E1hYTLJEFw RdWNSA1Af27Nnd3Wmq6G5s3jHGfmYnnMLZ0qAg+k2qCf9z43EMl5o7yLNMxkZjcrHb6z LTTjwiSaW4VrtB5gEKL+f/tLBMRxx1DZlqaRQ= MIME-Version: 1.0 Received: by 10.142.61.42 with SMTP id j42mr2005904wfa.26.1266084322697; Sat, 13 Feb 2010 10:05:22 -0800 (PST) Date: Sat, 13 Feb 2010 10:05:22 -0800 Message-ID: From: Alex Teslik To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf: nat works, ip blocking and logging do not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 18:27:08 -0000 I setup pf with nat on my Freebsd 7 system: [gouda:root]/root# pfctl -sa -vvvv No ALTQ support in kernel ALTQ related functions disabled TRANSLATION RULES: @0 nat on em0 inet from 192.168.4.0/24 to any -> (em0) round-robin [ Evaluations: 29986 Packets: 67086 Bytes: 54746182 States: 21 ] [ Inserted: uid 0 pid 66358 ] FILTER RULES: @0 scrub in all fragment reassemble [ Evaluations: 1030123 Packets: 539441 Bytes: 76737270 States: 0 ] [ Inserted: uid 0 pid 66358 ] @0 block drop in log (all) quick on em0 inet from 11.11.11.111 to any [ Evaluations: 75127 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 66358 ] @1 block drop in log (all) quick on em0 inet from 22.22.22.222 to any [ Evaluations: 32476 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 66358 ] @2 block drop out log (all) quick on em0 inet from 11.11.11.111 to any [ Evaluations: 56044 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 66358 ] @3 block drop out log (all) quick on em0 inet from 22.22.22.222 to any [ Evaluations: 23568 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 66358 ] @4 pass in all flags S/SA keep state [ Evaluations: 75130 Packets: 311544 Bytes: 126402695 States: 62 ] [ Inserted: uid 0 pid 66358 ] @5 pass out all flags S/SA keep state [ Evaluations: 75130 Packets: 239954 Bytes: 97798568 States: 55 ] [ Inserted: uid 0 pid 66358 ] nat works great. Unfortunately, I can still go to 11.11.11.111 or 22.22.22.222 with no blocking and no logging on /var/log/pflog. When I tcpdump listen to pflog0 there are no entries when I go to those ips. What am I doing wrong here that is preventing logging and blocking from working? [gouda:root]/root# tcpdump -vvveni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes [gouda:root]/root# cat /etc/pf.conf ext_if="em0" int_if="sk0" set skip on lo0 scrub in nat on $ext_if from $int_if:network to any -> ($ext_if) block drop in log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 } to any block drop out log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 } to any pass in all pass out all Thank you for your thoughts. From owner-freebsd-pf@FreeBSD.ORG Sat Feb 13 20:56:58 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F8E81065672 for ; Sat, 13 Feb 2010 20:56:58 +0000 (UTC) (envelope-from freebsd-pf@pp.dyndns.biz) Received: from proxy1.bredband.net (proxy1.bredband.net [195.54.101.71]) by mx1.freebsd.org (Postfix) with ESMTP id 564468FC14 for ; Sat, 13 Feb 2010 20:56:57 +0000 (UTC) Received: from ipb1.telenor.se (195.54.127.164) by proxy1.bredband.net (7.3.140.3) id 4B62ECEA0098A51C for freebsd-pf@freebsd.org; Sat, 13 Feb 2010 21:36:55 +0100 X-SMTPAUTH-B2: X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Als/ALKcdktV4js3PGdsb2JhbACHWZNGDAEBAQE3LroZhFsE X-IronPort-AV: E=Sophos;i="4.49,468,1262559600"; d="scan'208";a="36882461" Received: from c-373be255.107-1-64736c10.cust.bredbandsbolaget.se (HELO gatekeeper.pp.dyndns.biz) ([85.226.59.55]) by ipb1.telenor.se with ESMTP; 13 Feb 2010 21:36:55 +0100 Received: from [192.168.69.67] (phobos [192.168.69.67]) by gatekeeper.pp.dyndns.biz (8.14.3/8.14.3) with ESMTP id o1DKaqaD036868; Sat, 13 Feb 2010 21:36:53 +0100 (CET) (envelope-from freebsd-pf@pp.dyndns.biz) Message-ID: <4B770D64.10404@pp.dyndns.biz> Date: Sat, 13 Feb 2010 21:36:52 +0100 From: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= User-Agent: Thunderbird 2.0.0.23 (X11/20100118) MIME-Version: 1.0 To: Alex Teslik References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf: nat works, ip blocking and logging do not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 20:56:58 -0000 > nat works great. > > Unfortunately, I can still go to 11.11.11.111 or 22.22.22.222 with no > blocking and no logging on /var/log/pflog. > > When I tcpdump listen to pflog0 there are no entries when I go to those ips. > What am I doing wrong here that is preventing logging and blocking from > working? > > [gouda:root]/root# tcpdump -vvveni pflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture > size 96 bytes > > [gouda:root]/root# cat /etc/pf.conf > ext_if="em0" > int_if="sk0" > set skip on lo0 > scrub in > nat on $ext_if from $int_if:network to any -> ($ext_if) > block drop in log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 } > to any > block drop out log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 > } to any > pass in all > pass out all > You have to reverse the order of the source and destination in your outgoing rule. It should be: block drop out log (all) quick on $ext_if from any to { 11.11.11.111, 22.22.22.222 } /Morgan From owner-freebsd-pf@FreeBSD.ORG Sat Feb 13 23:37:11 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3433106566B for ; Sat, 13 Feb 2010 23:37:11 +0000 (UTC) (envelope-from dgeo@centrale-marseille.fr) Received: from melo.ec-m.fr (melo.ec-m.fr [147.94.19.139]) by mx1.freebsd.org (Postfix) with ESMTP id 57B3A8FC0A for ; Sat, 13 Feb 2010 23:37:11 +0000 (UTC) Received: from localhost (amavis3.serv.int [10.3.0.47]) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTP id 35714AC8C9; Sun, 14 Feb 2010 00:37:09 +0100 (CET) X-Virus-Scanned: amavisd-new at centrale-marseille.fr Received: from melo.ec-m.fr ([10.3.0.13]) by localhost (amavis3.serv.int [10.3.0.47]) (amavisd-new, port 10024) with LMTP id VgtzrsvdDEjs; Sun, 14 Feb 2010 00:37:03 +0100 (CET) Received: from [10.0.5.14] (unknown [10.0.5.14]) (Authenticated sender: dgeo) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTPSA id C89B4AC8AE; Sun, 14 Feb 2010 00:37:03 +0100 (CET) Message-ID: <4B773767.1000909@centrale-marseille.fr> Date: Sun, 14 Feb 2010 00:36:07 +0100 From: geoffroy desvernay User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090707) MIME-Version: 1.0 To: "Sam Fourman Jr." References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr> <11167f521002130319h42e131bbic432b4122773d383@mail.gmail.com> In-Reply-To: <11167f521002130319h42e131bbic432b4122773d383@mail.gmail.com> X-Enigmail-Version: 0.95.0 OpenPGP: id=7C253D52 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig0782FE21E50FA6DCC8FC0700" Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 23:37:11 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0782FE21E50FA6DCC8FC0700 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sam Fourman Jr. a =E9crit : [...] > I have searched the net high and low and I can not find any good > examples on how to use multiple routing tables. > I agree that it would be cleaner do you have a example of how to do thi= s? > if anyone has links to examples for Multiple routing tables examples > post them please. >=20 I don't have any skills on that theme, nor any (usable) experience, but it seems that you have to: 1. recompile kernel with (for 4 tables): option ROUTETABLES=3D4 2. modify the '1' table for example (default one is 0), prefixing 'route' commands with 'setfib 1' eg: # setfib 1 route delete default # setfib 1 route add default 10.1.2.3 3. start a jail with 'jail_xxx_fib=3D"1"' in rc.conf This should do the trick (if I understood it correctly) One more time I did not test it, just reading freebsd-jail@ and googling ;) I'll test it myself when i'll have time for it. HTH --=20 Geoffroy Desvernay --------------enig0782FE21E50FA6DCC8FC0700 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJLdzdqAAoJEC0NWrh8JT1SzI0IAIjL/1rGvk5YTyhpsW6g+7Gf o7oPi3FL7/4higuO6rF1lsx/rkMhHbbPvSDRYGfr/ggtaIHgxebHqCfbWctsuFSy XSHCT+dpmmzOI39b1naoSRwgoIKEs15xCZZD2Ng+/MgnJAnWPUzyZibDfiJL7AjA LWT0JWfpdwx9+jjsrECx2hicT/C6mIItoLoNPq8RQejcQtmb2UL5YqMPjCw3+iSh wmrFJCMHvBJ5dO1rb25TuXdmAA1V+ZCNTx9PnGVsbIgGQwZ/dSrVNKmE8ynSmE2R x2SMXG+9KMEoXtJOa+P7EYc9W0leDueu72x+Z54T0STXnHWBb1GHrge70YK89XU= =KcfN -----END PGP SIGNATURE----- --------------enig0782FE21E50FA6DCC8FC0700--