Date: Mon, 12 Mar 2007 22:28:13 +0000 From: Tom Judge <tom@tomjudge.com> To: Alexandre Biancalana <ale@seudns.net> Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior Message-ID: <45F5D3FD.8070802@tomjudge.com> In-Reply-To: <45F5CF26.6070100@seudns.net> References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> <45F58D1D.8080304@tomjudge.com> <45F59254.2050907@seudns.net> <45F5A395.9010309@tomjudge.com> <45F5CF26.6070100@seudns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexandre Biancalana wrote: > Tom Judge wrote: >> Alexandre Biancalana wrote: >>> Tom Judge wrote: >>>> Alexandre Biancalana wrote: >>>>> Tom Judge wrote: >>>>>> Alexandre Biancalana wrote: >>>>>>> Tom Judge wrote: >>>>>>>> Alexandre Biancalana wrote: >>>>>>>>> Hi List, >>>>>>>>> >>>>>>>>> >>>>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two >>>>>>>>> internet links but I can't do the route-to rule function as I >>>>>>>>> need. >>>>>>>>> >>>>>>>>> >>>>>>>>> (default gw) ______ >>>>>>>>> Link A <-----------> |int A | >>>>>>>>> | | >>>>>>>>> Link B <-----------> |int B | >>>>>>>>> |______| >>>>>>>>> FreeBSD FW >>>>>>>>> >>>>>>>>> A simple thing that I need to do is test the two Internet links >>>>>>>>> to know if they are up or not. To do this I could ping or >>>>>>>>> connect tcp ports on some external ips thought each link, using >>>>>>>>> nc and hping I tried do this generate connections/packets from >>>>>>>>> each network interface connected to each link but the packets >>>>>>>>> always go out by the interface indicated by machines default >>>>>>>>> route. >>>>>>>>> >>>>>>>>> I tried to add this rules in pf to force packets out by the >>>>>>>>> right interface based in your source address, but this does not >>>>>>>>> work, and the packets generated with ip of int B are going out >>>>>>>>> by int A. >>>>>>>>> >>>>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from >>>>>>>>> $int_b to any >>>>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from >>>>>>>>> $int_a to any >>>>>>>>> <SNIP/> > I understand that, I just don't see much difference in your rules and my > rules example... the both examples should work... but here none off then > work..... > > Adding a static destination route to an external host via gw_b and ping > with int_a address, the packet exit by int_b with int_a source > address... the same behavior... > > I tried your way: > > pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to ! > int_b:network > pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to ! > int_a:network > > > # pfctl -vv -sr > @28 pass out log on int_a route-to (int_b int_b_gw) inet from int_b_ip > to ! int_b:network > [ Evaluations: 88 Packets: 0 Bytes: 0 States: > 0 ] > @29 pass out log on int_b route-to (int_a int_a_gw) inet from int_a to ! > int_a:network > [ Evaluations: 80 Packets: 0 Bytes: 0 States: > 0 ] > > Any more hints ?! Han Hwei Woo wrote: > Just to be certain, are you aware that for PF, the last matching rule is > applied? Also, you can use the command: > # pfctl -vv -sr > to examine how your rules are being matched. Try the following which forces the first rule the packet matches (marked with quick) to be the final rule used to process the packet: pass out quick log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to ! int_b:network pass out quick log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to ! int_a:network Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F5D3FD.8070802>