From owner-freebsd-net@freebsd.org  Tue Oct 17 19:30:26 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D13CBE45633
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue, 17 Oct 2017 19:30:26 +0000 (UTC)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [89.188.221.64])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "plan-b.pwste.edu.pl", Issuer "plan-b.pwste.edu.pl" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 542037FBC5
 for <freebsd-net@freebsd.org>; Tue, 17 Oct 2017 19:30:25 +0000 (UTC)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (zarychtam@localhost [127.0.0.1])
 by plan-b.pwste.edu.pl (8.15.2/8.15.2) with ESMTPS id v9HJUGrF027311
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Tue, 17 Oct 2017 21:30:16 +0200 (CEST)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: (from zarychtam@localhost)
 by plan-b.pwste.edu.pl (8.15.2/8.15.2/Submit) id v9HJUGf0027309;
 Tue, 17 Oct 2017 21:30:16 +0200 (CEST) (envelope-from zarychtam)
Date: Tue, 17 Oct 2017 21:30:16 +0200
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
To: Marko =?utf-8?B?Q3VwYcSH?= <marko.cupac@mimar.rs>
Cc: freebsd-net@freebsd.org
Subject: Re: setfib (ez)jails and wierd routing
Message-ID: <20171017193016.GA19784@plan-b.pwste.edu.pl>
References: <20171016162204.5d01a1b1@efreet-freebsd.kappastar.com>
 <20171016180728.GA32726@plan-b.pwste.edu.pl>
 <20171017202816.66a1664d@efreet-freebsd.kappastar.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ"
Content-Disposition: inline
In-Reply-To: <20171017202816.66a1664d@efreet-freebsd.kappastar.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Oct 2017 19:30:26 -0000


--rwEMma7ioTxnRzrJ
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Oct 17, 2017 at 08:28:16PM +0200, Marko Cupa=C4=87 wrote:
> On Mon, 16 Oct 2017 20:07:28 +0200
> Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
>=20
> > Hi,
> >=20
> > try after to set "ifconfig bce1 fib 2" after disabling PF.=20
> > This  should do the work.
>=20
> Hi Marek,
>=20
> thank you for your advice, it seems to be getting me closer to the
> solution.
>=20
> PF is not enabled on this host. I've set `ifconfig bce1 fib 2'
> interactively, and packets with source address of DMZ net disappeared
> from LAN NIC (bce0 / fib 1).
>=20
> I wanted of course to have this automated, so I changed my rc.conf line
> for bce1:
> ifconfig_bce1=3D"inet 193.53.106.7 netmask 255.255.255.0 fib 2"
>=20
> However, after restart I observed another undesirable situation -
> packets with source address 193.53.106.7 leaving bce0 interface. I
> found out those are generated by sysutils/py-salt master service
> running directly on host (fib 0), bound to 193.53.106.7 (on interface
> bce1, which is now set as fib 2 at boot time).
>=20
> Why is outcome different when bce1 is set with fib 2 at the boot time
> from rc.conf from setting it at runtime?
>=20
> If setting bce1 with fib2 at the boot time from rc.conf, should I also
> start services running directly on host and bound to bce1 in fib 2?
> Would this be the correct rc.conf syntax for starting services in other
> fibs (for salt):
>=20
> salt_master_enable=3D"YES"
> salt_master_fib=3D"2"
> salt_minion_enable=3D"YES"
> salt_minion_fib=3D"2"

Hi Marko,
=20
bounding interface with FIB applies only to packets received on that
interface (ifconfig(8)). IMHO py-salt works as expected and as before.

If you wish to apply FIB to packets belonging to the connections
originating from the host, you should either start service with
setfib(1) or use appropriate firewall rules to assist this. With PF(4)
it could be route-to or rtable options, see pf.conf(5)

Best regards,
--=20
Marek Zarychta

--rwEMma7ioTxnRzrJ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAlnmWkUACgkQdZ/s//1S
jSz+BwgAq9NysO7AjCU7RfyM+53L6/tYOCdV27iRsAGpFHg8A7NsbN4K7eU7TGic
Gl9R6o5mTH9eyhJFLT0M5rnJGI75LLpXA7zUbLPfIqUsZT55OLIH65R/XB5bAzc7
5uaBkI3BrpMTesxknKWP0SoRzA+eGyXwIM+RJDvMGhrdvF9GSEy7hkTLW48s/+wV
8DjGvayy66DXhdKAKoZTCrtlZ+D03gug22+YUo1e39VxjGC/l5BfRMB3oN3z57ep
spbGwJ52wJM/qrEmcQXPNo6E2s2ehLDB1as++4kluJbWvutuJocyBkwTHLDqzXey
OhIYHrEtwyEnc81hGhmrYLuLLdLYbg==
=bQyf
-----END PGP SIGNATURE-----

--rwEMma7ioTxnRzrJ--