Date: Fri, 8 Jan 2010 06:55:43 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: setfib + pf + synproxy not working Message-ID: <201001080655.43652.max@love2party.net> In-Reply-To: <25cb73eeb5cb6830aefd1164b23e82b8.squirrel@pop.pknet.net> References: <25cb73eeb5cb6830aefd1164b23e82b8.squirrel@pop.pknet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 08 January 2010 06:04:34 Peter wrote: > iH, > Playing around with FIBs and jails. > > The host system is on a private 172.xxx network with a gateway of 172.xxx > going through a NAT box for internet. [fib 0] > > The jail has only a public IP, on fib 1 [with gateway being ISP router] > > With this, the jail is working fine. > > What I'm trying to accomplish is portknocking for 'ssh' access: > > pass in log quick proto tcp from any to any port {1234} synproxy state \ > (max-src-conn-rate 5/15, overload <portknock_ssh>) > > Because the jail is on 'fib 1', the connection is never established to > overload the rule. The 'synproxy state' is communicating via the > 172.xxxx/default gateway [of fib 0] instead of via the public "fib 1" > > I can ssh into the jail if I do > pass in log quick proto tcp from any to any port {22} keep state > > I CANNOT ssh into the jail if I do > pass in log quick proto tcp from any to any port {22} synproxy state > > Anyway I can force 'synproxy' to communicate via fib 1 ? I don't think I understand your setup and intent completely, but you can select a fib with the "rtable" filter parameter. It *should* be used for the synproxy communication, as well. Please report if this helps. -- Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201001080655.43652.max>