From owner-freebsd-net@FreeBSD.ORG  Mon Mar 12 21:56:04 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 444CE16A400
	for <freebsd-net@freebsd.org>; Mon, 12 Mar 2007 21:56:04 +0000 (UTC)
	(envelope-from hhw@pce-net.com)
Received: from layered.pce-net.com (210.43.21.72.reverse.layeredtech.com
	[72.21.43.210])
	by mx1.freebsd.org (Postfix) with ESMTP id 29A9313C44C
	for <freebsd-net@freebsd.org>; Mon, 12 Mar 2007 21:56:04 +0000 (UTC)
	(envelope-from hhw@pce-net.com)
Received: from [192.168.2.8] (S010600d0b7af3369.vc.shawcable.net
	[24.85.243.157])
	by layered.pce-net.com (Postfix) with ESMTP id BB59D4AC23;
	Mon, 12 Mar 2007 15:34:09 -0600 (CST)
Message-ID: <45F5C750.4000804@pce-net.com>
Date: Mon, 12 Mar 2007 14:34:08 -0700
From: Han Hwei Woo <hhw@pce-net.com>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To: Alexandre Biancalana <ale@seudns.net>
References: <45F564B5.10307@seudns.net>
In-Reply-To: <45F564B5.10307@seudns.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-net@freebsd.org
Subject: Re: PF route-to behavior
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2007 21:56:04 -0000

Just to be certain, are you aware that for PF, the last matching rule is 
applied? Also, you can use the command:
# pfctl -vv -sr
to examine how your rules are being matched.


Cheers,
Han


Alexandre Biancalana wrote:
> Hi List,
>
>
> I´m doing a firewall setup using 6-STABLE + PF with two internet links 
> but I can't do the route-to rule function as I need.
>
>
>          (default gw)    ______
>  Link A <-----------> |int A  |
>                                  |           |
>  Link B <-----------> |int B  |
>                                  |______|
>                              FreeBSD FW
>
> A simple thing that I need to do is test the two Internet links to 
> know if they are up or not. To do this I could ping or connect tcp 
> ports on some external ips thought each link, using nc and hping I 
> tried do this generate connections/packets from each network interface 
> connected to each link but the packets always go out by the interface 
> indicated by machines default route.
>
> I tried to add this rules in pf to force packets out by the right 
> interface based in your source address, but this does not work, and 
> the packets generated with ip of int B are going out by int A.
>
> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any
>
>
> Am I forgetting something ? Any comments ?
>
>
> Regards,
>
> Alexandre
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>