From owner-freebsd-pf@FreeBSD.ORG Fri Jul 14 23:09:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B56E16A4E0 for ; Fri, 14 Jul 2006 23:09:20 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E40143D46 for ; Fri, 14 Jul 2006 23:09:19 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by ug-out-1314.google.com with SMTP id j3so39192ugf for ; Fri, 14 Jul 2006 16:09:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MxCrfaTYR9iYh/H/Rgp3TRy/Mg3DlRToBdconRtCELvs4UaI6YrUglI5sH10h830k+C1zuS7lrOHIkL8KDuyXg3xa2orLqQ/6e4cb+eHnqZTgXw8Eq1bqzOrz0osxavDsPk+PJ+WPDPU+v2PW6+7I3bMiYsMZwzi8QKZ9//cJqs= Received: by 10.78.136.7 with SMTP id j7mr17153hud; Fri, 14 Jul 2006 16:09:18 -0700 (PDT) Received: by 10.78.196.19 with HTTP; Fri, 14 Jul 2006 16:09:17 -0700 (PDT) Message-ID: <8eea04080607141609n1270f57dva21efcd2d8eb5789@mail.gmail.com> Date: Fri, 14 Jul 2006 16:09:18 -0700 From: "Jon Simola" To: "Nejc Skoberne" In-Reply-To: <44B75A3D.5060108@skoberne.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B75A3D.5060108@skoberne.net> Cc: freebsd-pf@freebsd.org Subject: Re: Multihoming with route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jul 2006 23:09:20 -0000 On 7/14/06, Nejc Skoberne wrote: > pass out on $UntrustInterface route-to ($UntrustInterface2 $NextHop2) from > $UntrustInterface2 to any keep state > pass out on $UntrustInterface2 route-to ($UntrustInterface $NextHop1) from > $UntrustInterface to any keep state > > I thought this would do the following: if I ping E.F.G.H from w.x.y.z (somewhere on the > Internet), the packet goes in through $UntrustInterface2, kernel crafts the ping-reply > packet and sends it out to default route via the $UntrustInterface - but since there is > a route-to rule, the packet should get routed to $UntrustInterface2 and $NextHop2 > instead. Is this reasoning correct? You need to use reply-to when a packet comes in on the second interface: pass in on $UntrustInterface2 reply-to ($UntrustInterface2 $NextHop2) keep state That should get you working, then apply filtering as desired. > You can find the full pf.conf here: http://nejc.skoberne.net/pf.conf Thanks for linking your full pf.conf, as it makes answering questions a lot easier. -- Jon