From owner-freebsd-pf@FreeBSD.ORG  Wed Sep 24 13:37:01 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 308F0CB2
 for <freebsd-pf@freebsd.org>; Wed, 24 Sep 2014 13:37:01 +0000 (UTC)
Received: from ae-mail.austinenergy.com (smtp.austinenergy.com [162.89.23.25])
 by mx1.freebsd.org (Postfix) with ESMTP id E8BC7C98
 for <freebsd-pf@freebsd.org>; Wed, 24 Sep 2014 13:36:59 +0000 (UTC)
Received: from ae-pexch02.aenetad.net ([fe80::80b3:cfa8:7417:7812]) by
 AE-PEXCH01.aenetad.net ([fe80::d87b:541:2c83:1292%29]) with mapi id
 14.03.0181.006; Wed, 24 Sep 2014 08:35:53 -0500
From: "Nagle, Edwin (James)" <Edwin.Nagle@austinenergy.com>
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject: Source based routing
Thread-Topic: Source based routing
Thread-Index: Ac/X/HhmW9sU0d9kSjKNV1NokwiELg==
Date: Wed, 24 Sep 2014 13:35:53 +0000
Message-ID: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.10.207.22]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Sep 2014 13:37:01 -0000

Hi all,

I'm trying to accomplish something that I think should be pretty simple, bu=
t cannot figure out how to do...  Here is my scenario:

I am building a remote access server which will accept ssh connections on t=
hree private IP addresses in the same subnet.  The users coming in will nee=
d to have their IP sourced from the same IP as they arrived on because curr=
ent infrastructure is in place to firewall and segment those connections to=
 prevent unauthorized access to assets.  Incoming access will be controlled=
 by radius based on IP address.  Outbound traffic will be controlled via an=
 external firewall based on IP address (thus the need to lock users to the =
IP address they arrive on).

The server has four interfaces configured, the physical interface (bce0) an=
d three virtual (tap0, tap1, tap2).

I have rebuilt my kernel to allow NAT in PF as well as multiple routing tab=
les.  I found a good article which describes source based routing with mult=
iple routing tables but I think my problem stems from having all the IP add=
resses on the same network subnet.  I have successfully been able to have t=
he outbound NAT to a single IP but I'm still unclear on how PF works so I'm=
 basically mucking around trying to find something that works (please forgi=
ve my ignorance):

My current pf.conf:

nat on ! tap0 from any to any port ssh -> 10.1.9.59
nat on ! tap1 from any to any port ssh -> 10.1.9.60
nat on ! tap2 from any to any port ssh -> 10.1.9.61

All outbound traffic now translates to 10.1.9.59 regardless of which IP I a=
rrived on.  I need to basically match the incoming IP and nat outbound TCP =
22 traffic across the same IP.

Anyone have any ideas or suggestions as to how to accomplish this?

Many thanks in advance for any guidance.

James

From owner-freebsd-pf@FreeBSD.ORG  Wed Sep 24 14:09:38 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B5C346A4
 for <freebsd-pf@freebsd.org>; Wed, 24 Sep 2014 14:09:38 +0000 (UTC)
Received: from ae-mail.austinenergy.com (smtp.austinenergy.com [162.89.23.25])
 by mx1.freebsd.org (Postfix) with ESMTP id 5F61FE0
 for <freebsd-pf@freebsd.org>; Wed, 24 Sep 2014 14:09:37 +0000 (UTC)
Received: from ae-pexch02.aenetad.net ([fe80::80b3:cfa8:7417:7812]) by
 AE-PEXCH01.aenetad.net ([fe80::d87b:541:2c83:1292%29]) with mapi id
 14.03.0181.006; Wed, 24 Sep 2014 09:09:37 -0500
From: "Nagle, Edwin (James)" <Edwin.Nagle@austinenergy.com>
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject: RE: Source based routing
Thread-Topic: Source based routing
Thread-Index: Ac/X/HhmW9sU0d9kSjKNV1NokwiELgALR5CAAApG/vAAFGUtYA==
Date: Wed, 24 Sep 2014 14:09:37 +0000
Message-ID: <27DBC528FBF8094FA7247CC9A0A5C85F02A6B3B9@AE-PEXCH02.aenetad.net>
References: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net>
 <CAM-i3ighjHvWaep1JiHqFAiC=MjMzjozghRhjgHp1gBScCB=Lg@mail.gmail.com> 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.10.207.22]
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Sep 2014 14:09:38 -0000

SGVsbG8sDQoNClRoYW5rcyBmb3IgdGhlIGluZm9ybWF0aW9uLiAgSSBoYXZlIGJ1aWx0IG11bHRp
cGxlIHJvdXRpbmcgdGFibGVzIGFuZCBhbSBydW5uaW5nIHNlcGFyYXRlIHNzaGQgaW5zdGFuY2Vz
Og0KDQojDQojIC9ldGMvcmMubG9jYWwNCiMNCg0KIyBCdWlsZCBteSBhbHRlcm5hdGUgcm91dGlu
ZyB0YWJsZXMNCi91c3Ivc2Jpbi9zZXRmaWIgMCAvc2Jpbi9yb3V0ZSBhZGQgZGVmYXVsdCAxMC4x
LjkuNTgNCi91c3Ivc2Jpbi9zZXRmaWIgMSAvc2Jpbi9yb3V0ZSBhZGQgZGVmYXVsdCAxMC4xLjku
NTkNCi91c3Ivc2Jpbi9zZXRmaWIgMiAvc2Jpbi9yb3V0ZSBhZGQgZGVmYXVsdCAxMC4xLjkuNjAN
Ci91c3Ivc2Jpbi9zZXRmaWIgMyAvc2Jpbi9yb3V0ZSBhZGQgZGVmYXVsdCAxMC4xLjkuNjENCg0K
IyBTdGFydCBTU0ggZGFlbW9ucyBmb3IgZWFjaCBpbnRlcmZhY2UNCi91c3Ivc2Jpbi9zZXRmaWIg
MCAvdXNyL3NiaW4vc3NoZCAtZiAvZXRjL3NzaC9zc2hkX2NvbmZpZw0KL3Vzci9zYmluL3NldGZp
YiAxIC91c3Ivc2Jpbi9zc2hkIC1mIC9ldGMvc3NoL3NzaGRfY29uZmlnLnRhcDANCi91c3Ivc2Jp
bi9zZXRmaWIgMiAvdXNyL3NiaW4vc3NoZCAtZiAvZXRjL3NzaC9zc2hkX2NvbmZpZy50YXAxDQov
dXNyL3NiaW4vc2V0ZmliIDMgL3Vzci9zYmluL3NzaGQgLWYgL2V0Yy9zc2gvc3NoZF9jb25maWcu
dGFwMg0KDQpBbmQgaGF2ZSB0cmllZCB0aGUgZm9sbG93aW5nIGluIG15IHBmLmNvbmY6DQoNCnBh
c3MgaW4gbG9nIG9uIGJjZTAgaW5ldCBwcm90byB0Y3AgZnJvbSBhbnkgdG8gKGJjZTApIHBvcnQg
c3NoIHJ0YWJsZSAwDQpwYXNzIGluIGxvZyBvbiB0YXAwIGluZXQgcHJvdG8gdGNwIGZyb20gYW55
IHRvICh0YXAwKSBwb3J0IHNzaCBydGFibGUgMQ0KcGFzcyBpbiBsb2cgb24gdGFwMSBpbmV0IHBy
b3RvIHRjcCBmcm9tIGFueSB0byAodGFwMSkgcG9ydCBzc2ggcnRhYmxlIDINCnBhc3MgaW4gbG9n
IG9uIHRhcDIgaW5ldCBwcm90byB0Y3AgZnJvbSBhbnkgdG8gKHRhcDIpIHBvcnQgc3NoIHJ0YWJs
ZSAzDQoNCkJ1dCB0aGlzIHN0aWxsIGRvZXNu4oCZdCB3b3JrLiAgQW55IGlkZWFzIHdoYXQgSeKA
mW0gZG9pbmcgd3Jvbmc/DQoNClRoYW5rcyENCg0KSmFtZXMNCg0KRnJvbTogY2xhdWRpdSB2YXNh
ZGkgW21haWx0bzpjbGF1ZGl1LnZhc2FkaUBnbWFpbC5jb21dDQpTZW50OiBXZWRuZXNkYXksIFNl
cHRlbWJlciAyNCwgMjAxNCA4OjU5IEFNDQpUbzogTmFnbGUsIEVkd2luIChKYW1lcykNClN1Ympl
Y3Q6IFJlOiBTb3VyY2UgYmFzZWQgcm91dGluZw0KDQpIaSwNCg0KSGF2ZSBhIGxvb2sgYXQgdGhl
IHJvdXRlLXRvIChleDogcGFzcyBpbiBsb2cgKGFsbCkgb24gJGludF9pZiByb3V0ZS10byB7ICgk
ZXh0X2lmMCAkZXh0X2d3MCksICgkZXh0X2lmMSAkZXh0X2d3MSkgfSAuLi4gZXRjIC4uLiApIGFu
ZC9vciBydGFibGUgKGV4OiBwYXNzIGluIG9uICRleHRfaWYxIHByb3RvIHRjcCBmcm9tIGFueSB0
byA8aXA+IHBvcnQgMjIgcnRhYmxlIDEpDQoNCkJ5IGRlZmF1bHQsIGFsbCBvdXRib3VuZCB0cmFm
ZmljIGlzIHVzaW5nIHRoZSBkZWZhdWx0cm91dGVyLg0KDQpPbiBXZWQsIFNlcCAyNCwgMjAxNCBh
dCAzOjM1IFBNLCBOYWdsZSwgRWR3aW4gKEphbWVzKSA8RWR3aW4uTmFnbGVAYXVzdGluZW5lcmd5
LmNvbTxtYWlsdG86RWR3aW4uTmFnbGVAYXVzdGluZW5lcmd5LmNvbT4+IHdyb3RlOg0KSGkgYWxs
LA0KDQpJJ20gdHJ5aW5nIHRvIGFjY29tcGxpc2ggc29tZXRoaW5nIHRoYXQgSSB0aGluayBzaG91
bGQgYmUgcHJldHR5IHNpbXBsZSwgYnV0IGNhbm5vdCBmaWd1cmUgb3V0IGhvdyB0byBkby4uLiAg
SGVyZSBpcyBteSBzY2VuYXJpbzoNCg0KSSBhbSBidWlsZGluZyBhIHJlbW90ZSBhY2Nlc3Mgc2Vy
dmVyIHdoaWNoIHdpbGwgYWNjZXB0IHNzaCBjb25uZWN0aW9ucyBvbiB0aHJlZSBwcml2YXRlIElQ
IGFkZHJlc3NlcyBpbiB0aGUgc2FtZSBzdWJuZXQuICBUaGUgdXNlcnMgY29taW5nIGluIHdpbGwg
bmVlZCB0byBoYXZlIHRoZWlyIElQIHNvdXJjZWQgZnJvbSB0aGUgc2FtZSBJUCBhcyB0aGV5IGFy
cml2ZWQgb24gYmVjYXVzZSBjdXJyZW50IGluZnJhc3RydWN0dXJlIGlzIGluIHBsYWNlIHRvIGZp
cmV3YWxsIGFuZCBzZWdtZW50IHRob3NlIGNvbm5lY3Rpb25zIHRvIHByZXZlbnQgdW5hdXRob3Jp
emVkIGFjY2VzcyB0byBhc3NldHMuICBJbmNvbWluZyBhY2Nlc3Mgd2lsbCBiZSBjb250cm9sbGVk
IGJ5IHJhZGl1cyBiYXNlZCBvbiBJUCBhZGRyZXNzLiAgT3V0Ym91bmQgdHJhZmZpYyB3aWxsIGJl
IGNvbnRyb2xsZWQgdmlhIGFuIGV4dGVybmFsIGZpcmV3YWxsIGJhc2VkIG9uIElQIGFkZHJlc3Mg
KHRodXMgdGhlIG5lZWQgdG8gbG9jayB1c2VycyB0byB0aGUgSVAgYWRkcmVzcyB0aGV5IGFycml2
ZSBvbikuDQoNClRoZSBzZXJ2ZXIgaGFzIGZvdXIgaW50ZXJmYWNlcyBjb25maWd1cmVkLCB0aGUg
cGh5c2ljYWwgaW50ZXJmYWNlIChiY2UwKSBhbmQgdGhyZWUgdmlydHVhbCAodGFwMCwgdGFwMSwg
dGFwMikuDQoNCkkgaGF2ZSByZWJ1aWx0IG15IGtlcm5lbCB0byBhbGxvdyBOQVQgaW4gUEYgYXMg
d2VsbCBhcyBtdWx0aXBsZSByb3V0aW5nIHRhYmxlcy4gIEkgZm91bmQgYSBnb29kIGFydGljbGUg
d2hpY2ggZGVzY3JpYmVzIHNvdXJjZSBiYXNlZCByb3V0aW5nIHdpdGggbXVsdGlwbGUgcm91dGlu
ZyB0YWJsZXMgYnV0IEkgdGhpbmsgbXkgcHJvYmxlbSBzdGVtcyBmcm9tIGhhdmluZyBhbGwgdGhl
IElQIGFkZHJlc3NlcyBvbiB0aGUgc2FtZSBuZXR3b3JrIHN1Ym5ldC4gIEkgaGF2ZSBzdWNjZXNz
ZnVsbHkgYmVlbiBhYmxlIHRvIGhhdmUgdGhlIG91dGJvdW5kIE5BVCB0byBhIHNpbmdsZSBJUCBi
dXQgSSdtIHN0aWxsIHVuY2xlYXIgb24gaG93IFBGIHdvcmtzIHNvIEknbSBiYXNpY2FsbHkgbXVj
a2luZyBhcm91bmQgdHJ5aW5nIHRvIGZpbmQgc29tZXRoaW5nIHRoYXQgd29ya3MgKHBsZWFzZSBm
b3JnaXZlIG15IGlnbm9yYW5jZSk6DQoNCk15IGN1cnJlbnQgcGYuY29uZjoNCg0KbmF0IG9uICEg
dGFwMCBmcm9tIGFueSB0byBhbnkgcG9ydCBzc2ggLT4gMTAuMS45LjU5DQpuYXQgb24gISB0YXAx
IGZyb20gYW55IHRvIGFueSBwb3J0IHNzaCAtPiAxMC4xLjkuNjANCm5hdCBvbiAhIHRhcDIgZnJv
bSBhbnkgdG8gYW55IHBvcnQgc3NoIC0+IDEwLjEuOS42MQ0KDQpBbGwgb3V0Ym91bmQgdHJhZmZp
YyBub3cgdHJhbnNsYXRlcyB0byAxMC4xLjkuNTkgcmVnYXJkbGVzcyBvZiB3aGljaCBJUCBJIGFy
cml2ZWQgb24uICBJIG5lZWQgdG8gYmFzaWNhbGx5IG1hdGNoIHRoZSBpbmNvbWluZyBJUCBhbmQg
bmF0IG91dGJvdW5kIFRDUCAyMiB0cmFmZmljIGFjcm9zcyB0aGUgc2FtZSBJUC4NCg0KQW55b25l
IGhhdmUgYW55IGlkZWFzIG9yIHN1Z2dlc3Rpb25zIGFzIHRvIGhvdyB0byBhY2NvbXBsaXNoIHRo
aXM/DQoNCk1hbnkgdGhhbmtzIGluIGFkdmFuY2UgZm9yIGFueSBndWlkYW5jZS4NCg0KSmFtZXMN
Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpmcmVlYnNk
LXBmQGZyZWVic2Qub3JnPG1haWx0bzpmcmVlYnNkLXBmQGZyZWVic2Qub3JnPiBtYWlsaW5nIGxp
c3QNCmh0dHA6Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVic2QtcGYN
ClRvIHVuc3Vic2NyaWJlLCBzZW5kIGFueSBtYWlsIHRvICJmcmVlYnNkLXBmLXVuc3Vic2NyaWJl
QGZyZWVic2Qub3JnPG1haWx0bzpmcmVlYnNkLXBmLXVuc3Vic2NyaWJlQGZyZWVic2Qub3JnPiIN
Cg0KDQoNCi0tDQpCZXN0IHJlZ2FyZHMsDQpDbGF1ZGl1IFZhc2FkaQ0K

From owner-freebsd-pf@FreeBSD.ORG  Wed Sep 24 14:18:28 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 74DDAB2B
 for <freebsd-pf@freebsd.org>; Wed, 24 Sep 2014 14:18:28 +0000 (UTC)
Received: from elsa.gfuzz.de (unknown [IPv6:2a01:4f8:d16:4386::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 2F7FE1EC
 for <freebsd-pf@freebsd.org>; Wed, 24 Sep 2014 14:18:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by elsa.gfuzz.de (Postfix) with ESMTP id B2158E3350;
 Wed, 24 Sep 2014 16:18:16 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at elsa.gfuzz.de
Received: from elsa.gfuzz.de ([127.0.0.1])
 by localhost (elsa.gfuzz.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id HuLjrcNLslFS; Wed, 24 Sep 2014 16:18:16 +0200 (CEST)
Received: from mail.opdns.de (ipbcc192da.dynamic.kabel-deutschland.de
 [188.193.146.218]) (Authenticated sender: lists@gfuzz.de)
 by elsa.gfuzz.de (Postfix) with ESMTPSA id 0EEC0E00C1;
 Wed, 24 Sep 2014 16:18:15 +0200 (CEST)
Date: Wed, 24 Sep 2014 16:18:13 +0200
From: Oliver Peter <lists@peter.de.com>
To: "Nagle, Edwin (James)" <Edwin.Nagle@austinenergy.com>
Subject: Re: Source based routing
Message-ID: <20140924141813.GA14170@mail.opdns.de>
References: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK"
Content-Disposition: inline
In-Reply-To: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net>
X-Operating-System: Linux 2.6.32-29-pve i686
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Sep 2014 14:18:28 -0000


--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Sep 24, 2014 at 01:35:53PM +0000, Nagle, Edwin (James) wrote:
> Hi all,
>=20
> I'm trying to accomplish something that I think should be pretty simple, =
but cannot figure out how to do...  Here is my scenario:
>=20
> I am building a remote access server which will accept ssh connections on=
 three private IP addresses in the same subnet.  The users coming in will n=
eed to have their IP sourced from the same IP as they arrived on because cu=
rrent infrastructure is in place to firewall and segment those connections =
to prevent unauthorized access to assets.  Incoming access will be controll=
ed by radius based on IP address.  Outbound traffic will be controlled via =
an external firewall based on IP address (thus the need to lock users to th=
e IP address they arrive on).
>=20
> The server has four interfaces configured, the physical interface (bce0) =
and three virtual (tap0, tap1, tap2).
>=20
> I have rebuilt my kernel to allow NAT in PF as well as multiple routing t=
ables.  I found a good article which describes source based routing with mu=
ltiple routing tables but I think my problem stems from having all the IP a=
ddresses on the same network subnet.  I have successfully been able to have=
 the outbound NAT to a single IP but I'm still unclear on how PF works so I=
'm basically mucking around trying to find something that works (please for=
give my ignorance):
>=20
> My current pf.conf:
>=20
> nat on ! tap0 from any to any port ssh -> 10.1.9.59
> nat on ! tap1 from any to any port ssh -> 10.1.9.60
> nat on ! tap2 from any to any port ssh -> 10.1.9.61
>=20
> All outbound traffic now translates to 10.1.9.59 regardless of which IP I=
 arrived on.  I need to basically match the incoming IP and nat outbound TC=
P 22 traffic across the same IP.
>=20
> Anyone have any ideas or suggestions as to how to accomplish this?

Checkout the Routing section in pf.conf and give 'route-to' a try,
example for outgoing traffic could be:

        pass out log quick on $ext_if route-to tap0 from (tap0:network) to =
any port ssh


--=20
Oliver PETER       oliver@gfuzz.de       0x456D688F

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlQi0qUACgkQ6LH/IUVtaI8gywCfVocpx6o0WU+eMuNyAGjwxTJc
v2QAn2aYQWAzUmRTZAh7e/cGfWoet4Sh
=CFiR
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--

From owner-freebsd-pf@FreeBSD.ORG  Wed Sep 24 14:35:54 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A2346290
 for <freebsd-pf@freebsd.org>; Wed, 24 Sep 2014 14:35:54 +0000 (UTC)
Received: from mail-ie0-x22f.google.com (mail-ie0-x22f.google.com
 [IPv6:2607:f8b0:4001:c03::22f])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 70FC7646
 for <freebsd-pf@freebsd.org>; Wed, 24 Sep 2014 14:35:54 +0000 (UTC)
Received: by mail-ie0-f175.google.com with SMTP id rl12so5191143iec.6
 for <freebsd-pf@freebsd.org>; Wed, 24 Sep 2014 07:35:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :content-type; bh=UriS7iQuIp/G+rH81QaMELV0uAjhewx4AvbuHmqb+qU=;
 b=L9jq06nD71UMn9y4CnN42DMGsW92kTTI5ddmtT4yLTo0qYoN7pBj/vUcZfnL9cRi9B
 B22ppYQmUO21gEociFG6lxJ0FZ+bqRTi2PwxnK6FXjPIWqsgJYQb/6DeqT/ZSiV+DY2Q
 ZxsM21YNrRWOdklgXfQYoVX5XMpyYgab0DG2zb5JQQMTuGq/GNczZi5gYETqtYmUAeZG
 7NKKAqDi08D45SZp0BtRTV0QMzNCtuQ6BhBNMqpgrLLPvQGZ/Z3NJaT3tJxx8uk5rzrb
 M7XKkP9olKF2jygHBfsgrEAwlKLx23QBQAhT7Seft0F/E8yZGzpSMTLsKIdWBqiUR2rO
 JpXg==
X-Received: by 10.43.153.207 with SMTP id lb15mr11125545icc.51.1411569353896; 
 Wed, 24 Sep 2014 07:35:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.246.163 with HTTP; Wed, 24 Sep 2014 07:35:32 -0700 (PDT)
In-Reply-To: <27DBC528FBF8094FA7247CC9A0A5C85F02A6B3CA@AE-PEXCH02.aenetad.net>
References: <27DBC528FBF8094FA7247CC9A0A5C85F02A6B3CA@AE-PEXCH02.aenetad.net>
From: Michael MacLeod <mikemacleod@gmail.com>
Date: Wed, 24 Sep 2014 10:35:32 -0400
Message-ID: <CAM-FeoHjV6BqWQ_eME8x2o4CL7fxUs+X7Zenn5y7NbJhPJmnwA@mail.gmail.com>
Subject: Re: FW: Source based routing
To: "Nagle, Edwin (James)" <Edwin.Nagle@austinenergy.com>,
 freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Sep 2014 14:35:54 -0000

Hello James,

It's still a little unclear to me how you want traffic to flow in this
environment (in particular how the user traffic is arriving on the box),
but it'll probably be easier if you can have each class of user using a
different subnet. Regardless, it appears that you've set the default route
of each FIB to be the address of the interface you want each FIB to use,
which isn't going to work - your default gateway generally isn't yourself.

It appears that all of your traffic should be using the same default
gateway, and you're only interested in ensuring the egress interface/IP of
the traffic. You *may* not even need multiple FIBs, but instead just
multiple instances of SSHD set to listen to specific addresses (emphasis on
may - you might instead need separate FIB, though each one would still have
the same default gateway set).

Regards,
Mike

From owner-freebsd-pf@FreeBSD.ORG  Thu Sep 25 18:30:51 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1400DFB0
 for <freebsd-pf@freebsd.org>; Thu, 25 Sep 2014 18:30:51 +0000 (UTC)
Received: from nm8-vm0.bullet.mail.bf1.yahoo.com
 (nm8-vm0.bullet.mail.bf1.yahoo.com [98.139.213.95])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B034CB9C
 for <freebsd-pf@freebsd.org>; Thu, 25 Sep 2014 18:30:50 +0000 (UTC)
Received: from [98.139.212.149] by nm8.bullet.mail.bf1.yahoo.com with NNFMP;
 25 Sep 2014 18:30:43 -0000
Received: from [98.139.212.207] by tm6.bullet.mail.bf1.yahoo.com with NNFMP;
 25 Sep 2014 18:30:43 -0000
Received: from [127.0.0.1] by omp1016.mail.bf1.yahoo.com with NNFMP;
 25 Sep 2014 18:30:43 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 99309.24377.bm@omp1016.mail.bf1.yahoo.com
Received: (qmail 86958 invoked by uid 60001); 25 Sep 2014 18:24:02 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
 t=1411669442; bh=aj7JMCUkKtuGpNGEtkXFg/z6J4TJhynD8XKL4qq7yeQ=;
 h=Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
 b=PDNFR2AM/rSRz0F+OHXMH+I5qMfDbbJg7DybMzfoDyZB0W8uZAlQBZvLs6TA0pSGPpbZsuzFW1ahyC1Fyu7QN35bc6apY28azhs8d4rG8UKGvYrF1TkGpoQyTzjsj2kjtHvzcW6Yg91cYR7crHi+D32D4BJa3yFCoRX68exPmLQ=
X-YMail-OSG: fHKVaz8VM1lUPkRr9BcIM_Cf8XNJvdxaGEtEMpoun0JMxnO
 IQa35H1T4YFKqRAqFxq_KobfWuqSng.Y8rdF4VBBb0ybAaU3a7dFHZUq9CUx
 Y7vYWliC_LSnCeOiSv32.ktCX197SicwTS05SacFd7tAMPPI_kFNrjLo5r_.
 5zXesxLPr1lO_NFRIdm4KuRUYsiO5GU5IuP8TLuBYYBhxywX_XzvzqtYJkhK
 Y1ppq2hfr8eHh8uP8ka_gyfQie6YS3o5LF31onCAny3stftX8s5ggYFj8NDc
 bpRnpO2eJpZ5oHXjKosQwr3EPdxiN4vmrA5InuhJw5uHPFeBwKQ3sTNk0zk_
 8SmJqpGzMjntqlHyoK0H5uhvymYUj.jABHGeIOJdUvSG26utINm1bC4fGeuj
 AhMelF.btIWP.LtMoDVrbUv1Q3QutB6Ww3_o3Zj9kpNbSaNJFvStUYG.Rl8r
 y2ZbEdakVApNGvXEfTnpl5094gp1tx5wN8nMKGh9BSj3qv_CsFfIL0PGSA8X
 4oArqTgLHRRoKt_650o1GY4jeJM12DkzIOPAB.W.6PeQ0Do_95us.5L7eaRT 58Q--
Received: from [178.48.83.58] by web160705.mail.bf1.yahoo.com via HTTP;
 Thu, 25 Sep 2014 11:24:01 PDT
X-Rocket-MIMEInfo: 002.001,
 SGksCgpJIHdhcyB3b25kZXJpbmcgaG93IGlzIHBvc3NpYmxlIHRvIGFjY2VwdCBhIGNvbm5lY3Rpb24sIGxldHMgc2F5IG9uIHBvcnQgODAgb25seSBpZiBpdCBjb21lcyBmcm9tIGEgc3BlY2lmaWVkIHJlZmVyZXIuCkxldCdzIHNheSB0aGVyZSBpcyBhIGxpbmsgb24gc2VydmVyIEEgKElQIDEuMS4xLjEpIHBvaW50aW5nIHRvIHNlcnZlciBCIChJUCAyLjIuMi4yKS4gQW5kIHNlcnZlciBCIHdpbGwgb25seSBhY2NlcHQgdGhlIGNvbm5lY3Rpb24gaWYgaXQgd2FzIHNlbnQgYnkgQS4KCkFueSBpZGVhcz8KClQBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.203.696
Message-ID: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com>
Date: Thu, 25 Sep 2014 11:24:01 -0700
From: Laszlo Danielisz <laszlo.danielisz@yahoo.com>
Reply-To: Laszlo Danielisz <laszlo.danielisz@yahoo.com>
Subject: referer filtering
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2014 18:30:51 -0000

Hi,

I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer.
Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A.

Any ideas?

Thx!
Laszlo
From owner-freebsd-pf@FreeBSD.ORG  Thu Sep 25 19:45:35 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1FC79FCE
 for <freebsd-pf@freebsd.org>; Thu, 25 Sep 2014 19:45:35 +0000 (UTC)
Received: from mail.smarty.az (mail.smarty.az [109.235.196.155])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C16526A1
 for <freebsd-pf@freebsd.org>; Thu, 25 Sep 2014 19:45:33 +0000 (UTC)
Received: from [192.168.1.202] (pop-shaki-199.azeronline.com [62.217.138.199])
 (using TLSv1 with cipher RC4-MD5 (128/128 bits))
 (No client certificate requested)
 by mail.smarty.az (Postfix) with ESMTPSA id 98FBB1FEABFC
 for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 00:37:37 +0500 (AZST)
Date: Fri, 26 Sep 2014 00:37:31 +0500
Subject: Re: referer filtering
From: Javad Mustafayev <javad@smarty.az>
To: Laszlo Danielisz via freebsd-pf <freebsd-pf@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2014 19:45:35 -0000

SGksIGkgY2FuIHN1Z2dlc3QgY29uZmlnIGJlbG93CgpsZXRzIHNheSB0aGlzIGNvbmZpZyB3aWxs
IGJlIG9uIHNlcnZlciBCJ3MgcGYuY29uZi4gYW5kIHlvdXIgbmV0d29yayBpbnRlcmZhY2Ugb2Yg
QiBpcCBhZGRyZXNzIDIuMi4yLjIgaXMgYmdlMAoKdGhlbiB5b3UgY2FuIHVzZSB0aGUgZm9sbG93
aW5nIGNvbmZpZwoKI3BmLmNvbmYKI21hY3JvcwoKZXh0X2lmPSJiZ2UwIgpBPSIxLjEuMS4xIgpC
PSIyLjIuMi4yIgoKI2dsb2JhbCBvcHRpb25zCnNldCBibG9jay1wb2xpY3kgcmV0dXJuICNvciB5
b3UgY2FuIHVzZSBkcm9wCnNldCBza2lwIG9uIGxvMApzZXQgbG9naW50ZXJmYWNlICRleHRfaWYg
I29wdGlvbmFsCgojYWxsIG90aGVyIGNvbmZpZ3VyYXRpb25zCgojaGVyZSB5b3UgYmxvY2sgYWxs
CgpibG9jayByZXR1cm4gaW4gYWxsICNvciB5b3UgY2FuIHVzZSBkcm9wIDopCgojYW5kIGhlcmUg
YWxsb3cgVENQIGNvbm5lY3Rpb25zIG9uIHBvcnQgODAgb25seSBmcm9tIEEoMS4xLjEuMSkgdG8g
QigyLjIuMi4yKQoKcGFzcyBpbiBsb2cgb24gJGV4dF9pZiBpbmV0IHByb3RvIHRjcCBmcm9tICRB
IHRvICRCIHBvcnQgODAga2VlcCBzdGF0ZQoKdGhhdCdzIGFsbC4gaXRzIHNvIHNpbXBsZSBjb25m
aWd1cmF0aW9uIGZpbGUuIHlvdSBjYW4gZmluZCBtb3JlIGFkdmFuY2VkIGFuZCBmYW5jeSBjb25m
aWd1cmF0aW9uIG1vZGVscyBvbiB0aGUgd2ViLiBidXQgaSBzdWdnZXN0IHBmIG1hbnVhbCA7KSAK
Z29vZCBsdWNrLgotLQoK4oCi4oCi4oCiLwpuYW1lOsKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgIEphdmFkIE11c3RhZmF5ZXYKdGl0bGU6wqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgU3lzdGVtIEFkbWluaXN0cmF0b3IKY29tcGFueTrCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgU21hcnR5
IExMQwptb2JpbGU6wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgMDA5OTQuNTEuOTI3
LjExLjk5Cm1haWw6wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoCBqYXZhZEBzbWFydHkuYXoKd2ViLm1haWw6wqDCoMKgIGoubXVzdGFmYXlldkBnbWFp
bC5jb20KwqDigKLigKLigKIvCsKgCgpPbiBTZXAgMjUsIDIwMTQgMTE6MjQgUE0sIExhc3psbyBE
YW5pZWxpc3ogdmlhIGZyZWVic2QtcGYgPGZyZWVic2QtcGZAZnJlZWJzZC5vcmc+IHdyb3RlOgo+
Cj4gSGksIAo+Cj4gSSB3YXMgd29uZGVyaW5nIGhvdyBpcyBwb3NzaWJsZSB0byBhY2NlcHQgYSBj
b25uZWN0aW9uLCBsZXRzIHNheSBvbiBwb3J0IDgwIG9ubHkgaWYgaXQgY29tZXMgZnJvbSBhIHNw
ZWNpZmllZCByZWZlcmVyLiAKPiBMZXQncyBzYXkgdGhlcmUgaXMgYSBsaW5rIG9uIHNlcnZlciBB
IChJUCAxLjEuMS4xKSBwb2ludGluZyB0byBzZXJ2ZXIgQiAoSVAgMi4yLjIuMikuIEFuZCBzZXJ2
ZXIgQiB3aWxsIG9ubHkgYWNjZXB0IHRoZSBjb25uZWN0aW9uIGlmIGl0IHdhcyBzZW50IGJ5IEEu
IAo+Cj4gQW55IGlkZWFzPyAKPgo+IFRoeCEgCj4gTGFzemxvIAo+IF9fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fIAo+IGZyZWVic2QtcGZAZnJlZWJzZC5vcmcg
bWFpbGluZyBsaXN0IAo+IGh0dHA6Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZv
L2ZyZWVic2QtcGYgCj4gVG8gdW5zdWJzY3JpYmUsIHNlbmQgYW55IG1haWwgdG8gImZyZWVic2Qt
cGYtdW5zdWJzY3JpYmVAZnJlZWJzZC5vcmciIAo=


From owner-freebsd-pf@FreeBSD.ORG  Fri Sep 26 03:44:46 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 173C03F0
 for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 03:44:46 +0000 (UTC)
Received: from nm50-vm8.bullet.mail.bf1.yahoo.com
 (nm50-vm8.bullet.mail.bf1.yahoo.com [216.109.115.239])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BE5A98C
 for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 03:44:45 +0000 (UTC)
Received: from [98.139.215.140] by nm50.bullet.mail.bf1.yahoo.com with NNFMP;
 26 Sep 2014 03:41:23 -0000
Received: from [98.139.212.237] by tm11.bullet.mail.bf1.yahoo.com with NNFMP;
 26 Sep 2014 03:41:23 -0000
Received: from [127.0.0.1] by omp1046.mail.bf1.yahoo.com with NNFMP;
 26 Sep 2014 03:41:23 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 860899.440.bm@omp1046.mail.bf1.yahoo.com
Received: (qmail 52271 invoked by uid 60001); 26 Sep 2014 03:41:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
 t=1411702883; bh=r3tBklczlYi0xVRF0iX1FXL7uQ2x6Hv7QqxDDXMn3Gg=;
 h=References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type;
 b=nBqPiyevfvUaWWPyBLariPiOW78zbKGj7uE04TUaRIkQvL89lqD/IpWPg0mDt5jDxzrm0L7rVUffDeHupcxUgNNxYtMfHYsrwnixDU8o5AItJY2Dyd7ah2ffPDfw9tiIDwstbEetW/RuYIXAhBKY1D2dC/fKentg4KTuQShHljU=
X-YMail-OSG: gr4gPZsVM1mC3RJc9aJ7vblkVFFcXE0cEy41N9ZXNz80GYB
 PFT.u5DHFltNOT3f9oxcMd.U1vIAODwtFkpFbJeCIGw_mLYjKlXSFncyXOCK
 ghL7GgSvbRbKoo2z.KxlhQvV5boRptlaMX0WzeODm7X0q_UKwhcjqHoCA1gh
 qzyY_aHsT1ZrWhrw8RD5kfbjmeFVH2VWtp88EiBPw95Te.IJoiUn7FVf842K
 r6gVrl63iwy1EJNbg4HhV8nHjLLPRiEsvt.a8EST33YXlK_BNoJOxL8GqgMg
 rsSnsd4IJDbxuU2sA2w9DG1CahQxIw3TxNxz1JcG3qysZ8yGHE7nYDlMsUN9
 El1rN5fCnEfCXnEYCOCyJKq8U.y8IqszPkOXoTpG2XFOyuE3GJMCbLJSc_tH
 c3phhUMxsoBl45XUo0YauAbrtDCuhfsIXzHm7mqqsRsq_fJ8WuvbU_LqqIyH
 Mx91OQEJFkjJsrYOZvttB7hAl5HVdHd.0LsZEdnyxEoZ3K7z4dBxdV6fdInY
 rKGRxHp2qVFpTeNOFAJKDuDIuzThIdwtVIjpAGcWg0A1GDmcmmdSxFxge_8W aDQ--
Received: from [178.48.83.58] by web160702.mail.bf1.yahoo.com via HTTP;
 Thu, 25 Sep 2014 20:41:23 PDT
X-Rocket-MIMEInfo: 002.001,
 VGhhbmsgeW91IQoKSXNuJ3QgdGhpcyBqdXN0IGdvaW5nIHRvIGFjY2VwdCB0cmFmZmljIG9uIHBvcnQgODAgZnJvbSBBIHQwIEI_CnBhc3MgaW4gbG9nIG9uICRleHRfaWYgaW5ldCBwcm90byB0Y3AgZnJvbSAkQSB0byAkQiBwb3J0IDgwIGtlZXAgc3RhdGUKCgpJIG1lYW4gY3VzdG9tZXJzIHdobyB3b3VsZCBsaWtlIHRvIGNvbm5lY3QgdG8gJEIgd29uJ3QgYmUgYWJsZS4KCgoKT24gVGh1cnNkYXksIFNlcHRlbWJlciAyNSwgMjAxNCA5OjQ1IFBNLCBKYXZhZCBNdXN0YWZheWV2IDxqYXZhZEBzbWFydHkuYXoBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.203.696
References: <20140925194539.18FCDFEE@hub.freebsd.org>
Message-ID: <1411702883.12303.YahooMailNeo@web160702.mail.bf1.yahoo.com>
Date: Thu, 25 Sep 2014 20:41:23 -0700
From: Laszlo Danielisz <laszlo.danielisz@yahoo.com>
Reply-To: Laszlo Danielisz <laszlo.danielisz@yahoo.com>
Subject: Re: referer filtering
To: Javad Mustafayev <javad@smarty.az>,
 Laszlo Danielisz via freebsd-pf <freebsd-pf@freebsd.org>
In-Reply-To: <20140925194539.18FCDFEE@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 03:44:46 -0000

Thank you!=0A=0AIsn't this just going to accept traffic on port 80 from A t=
0 B?=0Apass in log on $ext_if inet proto tcp from $A to $B port 80 keep sta=
te=0A=0A=0AI mean customers who would like to connect to $B won't be able.=
=0A=0A=0A=0AOn Thursday, September 25, 2014 9:45 PM, Javad Mustafayev <java=
d@smarty.az> wrote:=0A =0A=0A=0AHi, i can suggest config below=0A=0Alets sa=
y this config will be on server B's pf.conf. and your network interface of =
B ip address 2.2.2.2 is bge0=0A=0Athen you can use the following config=0A=
=0A#pf.conf=0A#macros=0A=0Aext_if=3D"bge0"=0AA=3D"1.1.1.1"=0AB=3D"2.2.2.2"=
=0A=0A#global options=0Aset block-policy return #or you can use drop=0Aset =
skip on lo0=0Aset loginterface $ext_if #optional=0A=0A#all other configurat=
ions=0A=0A#here you block all=0A=0Ablock return in all #or you can use drop=
 :)=0A=0A#and here allow TCP connections on port 80 only from A(1.1.1.1) to=
 B(2.2.2.2)=0A=0Apass in log on $ext_if inet proto tcp from $A to $B port 8=
0 keep state=0A=0Athat's all. its so simple configuration file. you can fin=
d more advanced and fancy configuration models on the web. but i suggest pf=
 manual ;) =0Agood luck.=0A--=0A=0A=E2=80=A2=E2=80=A2=E2=80=A2/=0Aname:    =
                   Javad Mustafayev=0Atitle:                    System Admi=
nistrator=0Acompany:                            Smarty LLC=0Amobile:       =
          00994.51.927.11.99=0Amail:                           javad@smarty=
.az=0Aweb.mail:    j.mustafayev@gmail.com=0A =E2=80=A2=E2=80=A2=E2=80=A2/=
=0A =0A=0AOn Sep 25, 2014 11:24 PM, Laszlo Danielisz via freebsd-pf <freebs=
d-pf@freebsd.org> wrote:=0A>=0A> Hi, =0A>=0A> I was wondering how is possib=
le to accept a connection, lets say on port 80 only if it comes from a spec=
ified referer. =0A> Let's say there is a link on server A (IP 1.1.1.1) poin=
ting to server B (IP 2.2.2.2). And server B will only accept the connection=
 if it was sent by A. =0A>=0A> Any ideas? =0A>=0A> Thx! =0A> Laszlo =0A> __=
_____________________________________________ =0A> freebsd-pf@freebsd.org m=
ailing list =0A> http://lists.freebsd.org/mailman/listinfo/freebsd-pf =0A> =
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =0A__=
_____________________________________________=0Afreebsd-pf@freebsd.org mail=
ing list=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-pf=0ATo unsubs=
cribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
From owner-freebsd-pf@FreeBSD.ORG  Fri Sep 26 11:50:55 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3F63281B
 for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 11:50:55 +0000 (UTC)
Received: from insomnia.benzedrine.cx
 (106.30.3.213.static.wline.lns.sme.cust.swisscom.ch [213.3.30.106])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "insomnia.benzedrine.cx",
 Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9E912E10
 for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 11:50:54 +0000 (UTC)
Received: from insomnia.benzedrine.cx (localhost [127.0.0.1])
 by insomnia.benzedrine.cx (8.14.6/8.14.5) with ESMTP id s8QBMEs2008832
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Fri, 26 Sep 2014 13:22:14 +0200 (MEST)
Received: (from dhartmei@localhost)
 by insomnia.benzedrine.cx (8.14.6/8.14.5/Submit) id s8QBMDij012900;
 Fri, 26 Sep 2014 13:22:13 +0200 (MEST)
Date: Fri, 26 Sep 2014 13:22:13 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Laszlo Danielisz <laszlo.danielisz@yahoo.com>
Subject: Re: referer filtering
Message-ID: <20140926112213.GA18108@insomnia.benzedrine.cx>
References: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 11:50:55 -0000

On Thu, Sep 25, 2014 at 11:24:01AM -0700, Laszlo Danielisz via freebsd-pf wrote:

> I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer.
> Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A.

You mean filtering based on a HTTP Referer: header?

pf doesn't work on that layer at all.

Technically, B has to accept the client's connection and read the HTTP
request (for the Referer: header) to make its decision. It can produce
an error (or redirect) or close the connection, but "not accepting the
connection" is impossible.

You'd have to do this at the application layer, e.g. Apache has modules
that allow access control based on HTTP headers[1], or use a HTTP proxy
like squid (pf can assist redirecting to it).

Also note that the referer header isn't always reliable, as it can be
faked easily[2].

HTH,
Daniel

[1] http://www.uiowa.edu/server/manual/mod/mod_access_referer.html#motivation
[2] http://www.stardrifter.org/refcontrol/

From owner-freebsd-pf@FreeBSD.ORG  Fri Sep 26 17:32:19 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4EC2636B
 for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 17:32:19 +0000 (UTC)
Received: from nm16-vm9.bullet.mail.gq1.yahoo.com
 (nm16-vm9.bullet.mail.gq1.yahoo.com [98.137.177.242])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 10701B88
 for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 17:32:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1411752732; bh=4Fat7zMugF24l1teUq6ZIjszE4CQ0uPPVgnXQo9UC90=;
 h=Received:Received:Received:X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:From:Subject:To:Content-Type:MIME-Version:Reply-To:Date:From:Subject;
 b=LtY/u741Nl8rc3g19wqqJccWcjaAbgQXBwWW0J85UTxXmmHNCD/GC1gCX8PrgtGh8NIdS7QdpRYsiRy+gNHdg8DOTBPk2QqrEZ1A19XMMDCYMoDzwVSL04PYrWbHG477wDaJiHgDN2tToEN9qI9TSRb6t9yfVubqILH+CT15z6oK5BkSW/3axxwWjDrxFBjzYjEZXmcLI0p+w1bbK4aImuaBg0JswVkWjOdfxvCFILW0goLaCeVyj/3Mz4e/O7eXwT0bpX0TJp/sULVEVjQagFFcclwVDYw+U1V6jFPlzgBTgWx/+/d9ob3lQhEI89gN0MqTa7G0MonXeZxscgYmBw==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com;
 b=CdwLpEAGC3BFL/L8pkyjj0xj2ldad6B9GWMJJUfVsy9gniF3UKyidcudKBIQiG5KwWBX4mN0UpNlezlFTf5MQy8bDiZZNBOhByJyeO4ZziKJive7aBULNPOcbqxERc/uo0E8MasaoITVGVKZqUpIG7mZ/cG0q6ebZ1osN7F27hZQtxkeiIVFpjPTX96cc5jlgVs0XxJTgyQZ6GHToqqzGklGSWM5fIZtWewllIcy/uleMcg0rTiv7+CVEvScnZxzcvgIbSGpd8CpYmYr5+ktPmqwtNV5glF8wx3B9D53LPBVw2kJ1tNK9i5+26soVj9EV3IYs1BHcVMP//4ieBNWwA==;
Received: from [216.39.60.181] by nm16.bullet.mail.gq1.yahoo.com with NNFMP;
 26 Sep 2014 17:32:12 -0000
Received: from [208.71.42.204] by tm17.bullet.mail.gq1.yahoo.com with NNFMP;
 26 Sep 2014 17:32:12 -0000
Received: from [127.0.0.1] by smtp215.mail.gq1.yahoo.com with NNFMP;
 26 Sep 2014 17:32:12 -0000
X-Yahoo-Newman-Id: 694004.1501.bm@smtp215.mail.gq1.yahoo.com
Message-ID: <694004.1501.bm@smtp215.mail.gq1.yahoo.com>
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: ijeGRYcVM1lK3lbJZvGou6O3qQIlrsBpjd4gQ5o4hARJ2Jy
 pg49.gFl1i5A_JwZCrqTEhvpKhF7EHNdg_guqrqBChNBhiy1qRSGjfmHB.xC
 _qiKE54rqmFmpMfxb5tY5TTquxgDIpG_UGOr7xTOPd4sluhezpfiezPNBNTU
 UmWFKXOYLrts3orL8LVN7x_2HS7qf_ymLGAcnb_Ns_Mg_M4_bxb7RebydOR3
 AXeoFz_QgWzhPizIETaIKZBJCaAYUCddNiUeUu2CzdNQmz34CmZuUoHvJdLZ
 Tb9zf9r3f4Ta0EtPUxuUdGXsRcRmDAwpJRmHLZzcBhmi3uu1MhuYmAQMtP49
 IXDQlakArsu4HSU40xtSFVek2mQAQQSt123t9S39.vdBEYpC2XujTuF3hGTO
 0nah8FOgVrUKIdKO4fz_L_SfN2Ad2gBIsytNMw0gG6amLrwdRrzOpD_cuOQt
 pinNj63oXN3EQYfy7wf2yvov3WOrrjcZTLRWonguNeHAZ66jB8GNWAicBgh9
 TSIYIfU3_Ne5gCuEQ.Y8snbtL75E2TFI9H.QufAca3TYQCJXLpVzx3HicFmk
 h7gy5Nzh5JYDtsS7Y0Rr1DPHZcBO8.DyYR9j50T2X6h955kD8hbPdxk_PAlE
 W..umeII__24-
X-Yahoo-SMTP: 1eZwpH6swBCTTLX5w9.Xe35CpLBA9ksPhJSlm9j2_KvtjzsXrga2
From: "Sahar alGhrarri" <mar_jmes20@outlook.com>
Subject: I await your response
To: "freebsd-pf" <freebsd-pf@freebsd.org>
MIME-Version: 1.0
Reply-To: "Sahar alGhrarri" <sahar_alghram112@gmx.com>
Date: Fri, 26 Sep 2014 18:32:08 +0100
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 17:32:19 -0000

=EF=BB=BFGreetings,
I am Mrs. Sahar alGhrarri, the only surviving member of a family that =
was crushed in a bomb-blast during the war in Libya. Currently, I am b=
attling with a (partial stroke) which resulted from the shock gotten f=
rom the incident. Please view the below link for  details: http://www.=
wsws.org/articles/2011/jun2011/liby-j20.shtml
When my husband whom was a crude oil merchant was alive, we had plans =
to use the last days of our lives to disburse part of our resources to=
 charity organization and several unknown individuals because when we =
were much younger in life as a couple, we received financial help from=
 an unknown individual whom we have not met till this day. The impact =
we got from such gesture made us want to do same.
Unfortunately, my husband is not alive today to do this with me and my=
 health is deteriorating so fast; hence I have decided it on our behal=
f. Having donated to several individuals and charity organization from=
 our savings, I have decided to anonymously donate the last of our fam=
ily savings to you.
Irrespective of your previous financial status, please do accept this =
kind and peaceful offer on behalf of my beloved family. Please acknowl=
edge Mrs. Sahar   Email: sahar-alghram102@gmx.com
May war and pains never come close to your dwelling place.
Regards
Mrs. Sahar alGhrarri