From owner-freebsd-pf@FreeBSD.ORG Mon Aug 8 12:29:36 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1222C16A41F for ; Mon, 8 Aug 2005 12:29:36 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9204943D48 for ; Mon, 8 Aug 2005 12:29:35 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id 77E5F4B1C3; Mon, 8 Aug 2005 09:30:10 -0300 (BRT) Received: from [172.16.12.100] (unknown [201.14.1.190]) by srv-03.bs2.com.br (Postfix) with ESMTP id 0543F4B1D0; Mon, 8 Aug 2005 09:30:09 -0300 (BRT) Message-ID: <42F7502C.4070003@tirloni.org> Date: Mon, 08 Aug 2005 09:29:32 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.6-1.4.1.centos4 (X11/20050721) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sergey Lapin References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> <48239d390508080452270c8d10@mail.gmail.com> In-Reply-To: <48239d390508080452270c8d10@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 12:29:36 -0000 Sergey Lapin wrote: > When pf blocks incoming packet with "block return" rule, it does not > return RST or ICMP packet to the interface from which original packet > came from but always use default gateway instead. This way if we have > default gateway set to ISP2's 2.0.0.1 and packet destined to 1.0.0.254 > comes from ISP1 interface (ext_if1) and this packet gets blocked with > "block return", the TCP RST packet with source address 1.0.0.254 will > be sent through 2.0.0.1 gateway. Obviously, ISP2 drops packets which > source does not belong to their network so basically "block return" > does not work at all. I've the same situation here and we use route-to to route everything from ISP1's network to their gateway and vice-versa. route-to re-routes a packet from 1.0.0.0/24 when it's trying to leave through the ISP2 interface and everything then gets NAT'ed properly. pass out on $ext_isp2_if route-to ($ext_isp1_if $ext_isp1_gw) from $isp1_net to any -- Giovanni P. Tirloni / gpt@tirloni.org