Date: Mon, 8 Aug 2005 18:18:28 +0400 From: Sergey Lapin <slapinid@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: Fwd: pf problems Message-ID: <48239d3905080807182fef6a5b@mail.gmail.com> In-Reply-To: <42F7502C.4070003@tirloni.org> References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> <48239d390508080452270c8d10@mail.gmail.com> <42F7502C.4070003@tirloni.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I've the same situation here and we use route-to to route everything > from ISP1's network to their gateway and vice-versa. >=20 > route-to re-routes a packet from 1.0.0.0/24 when it's trying to leave > through the ISP2 interface and everything then gets NAT'ed properly. >=20 > pass out on $ext_isp2_if route-to ($ext_isp1_if $ext_isp1_gw) from > $isp1_net to any >=20 It does not help. Actually, it looks like pf does not have control over outgoing packets produced by pf itself. I can not neither block nor reroute these packets. I checked this very easily - I created a rule block out log quick from SOME_OUTSIDE_HOST/32 to any block out log quick from any to SOME_OUTSIDE_HOST/32 and made it very first rules of the firewall. Needless to say, when I tried to telnet to router port 9999 from SOME_OUTSIDE_HOST, tcpdump on the pflog0 device got incoming SYN but did not show RST. From the other hand, tcpdump on the default gateway interface shown outgoing RST. Again, from this I conclude that pf-generated packets (RST/ICMP) are not subject for ruleset processing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48239d3905080807182fef6a5b>