From owner-freebsd-pf@FreeBSD.ORG Fri Jan 8 05:55:46 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59AF3106566C for ; Fri, 8 Jan 2010 05:55:46 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by mx1.freebsd.org (Postfix) with ESMTP id E65EB8FC0A for ; Fri, 8 Jan 2010 05:55:45 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-050-238.pools.arcor-ip.net [88.66.50.238]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0MRB6N-1NL7BX34xj-00U2Zl; Fri, 08 Jan 2010 06:55:44 +0100 Received: (qmail 94212 invoked from network); 8 Jan 2010 05:55:44 -0000 Received: from f8x64.laiers.local (192.168.4.188) by ns1.laiers.local with SMTP; 8 Jan 2010 05:55:44 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 8 Jan 2010 06:55:43 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE; KDE/4.3.4; amd64; ; ) References: <25cb73eeb5cb6830aefd1164b23e82b8.squirrel@pop.pknet.net> In-Reply-To: <25cb73eeb5cb6830aefd1164b23e82b8.squirrel@pop.pknet.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201001080655.43652.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18N6Ew4xDhHtQJuWd5yhzHJV6Cu8O2BLmjYgJ7 D+5LBEJJMPS+WqIuQfbm/hCyxo59+Q6/G9iyyYTiG3OFTNn26c aaFVksyHiTcCxteDoOrDQ== Cc: Subject: Re: setfib + pf + synproxy not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2010 05:55:46 -0000 On Friday 08 January 2010 06:04:34 Peter wrote: > iH, > Playing around with FIBs and jails. > > The host system is on a private 172.xxx network with a gateway of 172.xxx > going through a NAT box for internet. [fib 0] > > The jail has only a public IP, on fib 1 [with gateway being ISP router] > > With this, the jail is working fine. > > What I'm trying to accomplish is portknocking for 'ssh' access: > > pass in log quick proto tcp from any to any port {1234} synproxy state \ > (max-src-conn-rate 5/15, overload ) > > Because the jail is on 'fib 1', the connection is never established to > overload the rule. The 'synproxy state' is communicating via the > 172.xxxx/default gateway [of fib 0] instead of via the public "fib 1" > > I can ssh into the jail if I do > pass in log quick proto tcp from any to any port {22} keep state > > I CANNOT ssh into the jail if I do > pass in log quick proto tcp from any to any port {22} synproxy state > > Anyway I can force 'synproxy' to communicate via fib 1 ? I don't think I understand your setup and intent completely, but you can select a fib with the "rtable" filter parameter. It *should* be used for the synproxy communication, as well. Please report if this helps. -- Max