Date: Mon, 12 Mar 2007 23:58:14 -0300 From: Alexandre Biancalana <ale@seudns.net> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior Message-ID: <45F61346.6050808@seudns.net> In-Reply-To: <45F5D3FD.8070802@tomjudge.com> References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> <45F58D1D.8080304@tomjudge.com> <45F59254.2050907@seudns.net> <45F5A395.9010309@tomjudge.com> <45F5CF26.6070100@seudns.net> <45F5D3FD.8070802@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Judge wrote: > Alexandre Biancalana wrote: >> Tom Judge wrote: >>> Alexandre Biancalana wrote: >>>> Tom Judge wrote: >>>>> Alexandre Biancalana wrote: >>>>>> Tom Judge wrote: >>>>>>> Alexandre Biancalana wrote: >>>>>>>> Tom Judge wrote: >>>>>>>>> Alexandre Biancalana wrote: >>>>>>>>>> Hi List, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two >>>>>>>>>> internet links but I can't do the route-to rule function as I >>>>>>>>>> need. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> (default gw) ______ >>>>>>>>>> Link A <-----------> |int A | >>>>>>>>>> | | >>>>>>>>>> Link B <-----------> |int B | >>>>>>>>>> |______| >>>>>>>>>> FreeBSD FW >>>>>>>>>> >>>>>>>>>> A simple thing that I need to do is test the two Internet >>>>>>>>>> links to know if they are up or not. To do this I could ping >>>>>>>>>> or connect tcp ports on some external ips thought each link, >>>>>>>>>> using nc and hping I tried do this generate >>>>>>>>>> connections/packets from each network interface connected to >>>>>>>>>> each link but the packets always go out by the interface >>>>>>>>>> indicated by machines default route. >>>>>>>>>> >>>>>>>>>> I tried to add this rules in pf to force packets out by the >>>>>>>>>> right interface based in your source address, but this does >>>>>>>>>> not work, and the packets generated with ip of int B are >>>>>>>>>> going out by int A. >>>>>>>>>> >>>>>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from >>>>>>>>>> $int_b to any >>>>>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from >>>>>>>>>> $int_a to any >>>>>>>>>> > > <SNIP/> > >> I understand that, I just don't see much difference in your rules and >> my rules example... the both examples should work... but here none >> off then work..... >> >> Adding a static destination route to an external host via gw_b and >> ping with int_a address, the packet exit by int_b with int_a source >> address... the same behavior... >> >> I tried your way: >> >> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to ! >> int_b:network >> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to ! >> int_a:network >> >> >> # pfctl -vv -sr >> @28 pass out log on int_a route-to (int_b int_b_gw) inet from >> int_b_ip to ! int_b:network >> [ Evaluations: 88 Packets: 0 Bytes: 0 >> States: 0 ] >> @29 pass out log on int_b route-to (int_a int_a_gw) inet from int_a >> to ! int_a:network >> [ Evaluations: 80 Packets: 0 Bytes: 0 >> States: 0 ] >> >> Any more hints ?! > > Han Hwei Woo wrote: > > Just to be certain, are you aware that for PF, the last matching > rule is > > applied? Also, you can use the command: > > # pfctl -vv -sr > > to examine how your rules are being matched. > > Try the following which forces the first rule the packet matches > (marked with quick) to be the final rule used to process the packet: > > pass out quick log on $int_a route-to ( $int_b $int_b_gw ) from $int_b > to ! int_b:network > pass out quick log on $int_b route-to ( $int_a $int_a_gw ) from $int_a > to ! int_a:network I added an keep state at end of each rule and now all works ! I will do more tests and report any problem... Thanks in advance !!! Alexandre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F61346.6050808>