From owner-freebsd-questions@freebsd.org Mon Mar 8 11:36:13 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B2B4656F66A for ; Mon, 8 Mar 2021 11:36:13 +0000 (UTC) (envelope-from ludovit.koren@gmail.com) Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DvGWJ5Nm2z4XC7 for ; Mon, 8 Mar 2021 11:36:12 +0000 (UTC) (envelope-from ludovit.koren@gmail.com) Received: by mail-ej1-x632.google.com with SMTP id c10so19613733ejx.9 for ; Mon, 08 Mar 2021 03:36:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:user-mail-address:date:in-reply-to :message-id:user-agent:mime-version; bh=YGhZGGb62askCrs6VBVyJRYD2wu2gH4IakmW7RuMIJk=; b=JiYq2wBBFcK/3njDWYySGw5FVeApKSB9DQlIJe+rTqW/aQvbJGpxtgnECZyu0Vs3ee hV4KWRgNeeEgqZpjP6LS7tyUFLgwrjyZdZMJ4RjBSmTihgZYJzL3TL/R+yuoUULBIe3B mfHbH+72wYHGN4JMJ+sYTcSwFSBdNUgrYm08DuXAg5+HfmSgQJXDFftNYhRJOGv9NrIP /HP6U6/gK6/j72HOKyM/gQgtsyBwFNu0LiFHc9CsVA4MFr3dwp3vedHYwx1xXfGOgKlj w9PUArS69CkGTIF2ubMAEcHBcNu2N9HXRTNynsWJL5TvNkXQ4sPC78uLl81y/UWv4htl jGMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:user-mail-address :date:in-reply-to:message-id:user-agent:mime-version; bh=YGhZGGb62askCrs6VBVyJRYD2wu2gH4IakmW7RuMIJk=; b=lbB4M4sskfx4/vUs9bAHxHM6hsEBaGYzcqw2MoGjwtT84F/8ZPu/HxkNR2MdyH7Zyg gelsk9C/kerqv2onNW95uTa/l5ZLimEghUYjQk8hS1fPnpwh95uQIcqT1nibwQsKPjRG P1C2PpQCNQ9UX2GgdXJ+HGbLYa/evumg6zrwO6XGgjQ6++5upNA3uLxI7fk0yJcWqRHQ e+yIf46OOHqL4IGAfJeKgHpSJeBg6PDC4O1wWoAXSf9c4QeVQr7HdOw4h0TfyWfoe5nv vnnLwTxAEynQcxMFgjHE/M2+TVPpLU4i7GI0J0Gz5BsqYaCf4WF/tZMYrphSgWJdZ9k9 25pQ== X-Gm-Message-State: AOAM533+iOz8T5nbsGncMb0f16eHC4qlpMDgFTfF5xEC2uHWuZklmLFU 1GCHd3fW38u6+IQz1IxYLfnYlmTJoXk= X-Google-Smtp-Source: ABdhPJzWRN3roROOvxGH5RlhpcKfYwI7iYsafrTvhvhM6NHNiVUhpX+YnutGZWU0sidT8PlrO0bspQ== X-Received: by 2002:a17:906:358c:: with SMTP id o12mr15090460ejb.156.1615203371271; Mon, 08 Mar 2021 03:36:11 -0800 (PST) Received: from jedi.localdomain (bband-dyn115.178-40-203.t-com.sk. [178.40.203.115]) by smtp.gmail.com with ESMTPSA id b12sm6859611eds.94.2021.03.08.03.36.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Mar 2021 03:36:10 -0800 (PST) Received: by jedi.localdomain (Postfix, from userid 1001) id EA6D459D26; Mon, 8 Mar 2021 12:36:09 +0100 (CET) From: Ludovit Koren To: Ultima Cc: FreeBSD Mailing List Subject: Re: PF - reply-to References: <8635x6vli2.fsf@gmail.com> User-Mail-Address: ludovit.koren@gmail.com Date: Mon, 08 Mar 2021 12:36:09 +0100 In-Reply-To: (Ultima's message of "Sun, 7 Mar 2021 11:31:23 -0800") Message-ID: <86y2exubbq.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-Rspamd-Queue-Id: 4DvGWJ5Nm2z4XC7 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=JiYq2wBB; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ludovitkoren@gmail.com designates 2a00:1450:4864:20::632 as permitted sender) smtp.mailfrom=ludovitkoren@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::632:from]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RECEIVED_SPAMHAUS_PBL(0.00)[178.40.203.115:received]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::632:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::632:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2021 11:36:13 -0000 >>>>> Ultima writes: > Hey Ludovit, > More details would be helpful. There can be a few reasons why it is not working that I can see. > 1. Do you have an rdr rule to redirect to $web_addr for the pass rule? yes, I have a rdr rule. but there are rules without rdr and it seems they are not working either. > 2. Rules out of order I do not understand. I have definitions, nat, rdr, and rules. > 3. Conflicting rules. I did not find any. > The best way to debug this would be logging the rules and watching where the traffic is going via tcpdump. I did exactly what you suggest. The block rule logged reset packet from the source of the web traffic. As soon as I changed the default router, everything have started to work with the same unchanged pf.conf. Regards, lk > Best regards, > Richard Gallamore > On Sun, Mar 7, 2021 at 10:58 AM Ludovit Koren wrote: > Hi all, > we have 2 Internet connections coming on the same interface. One is > primarily used for incoming connections and services that we provide to > Internet (web, mail). The other connection is primarily used for > browsing (cache/proxy) and DNS. There are 2 different routers. > I am using FreeBSD 12.2-STABLE r369178 and PF. The question is which > router should I set as default router. I suppose, I can use reply-to > and/or route-to, respectively. If I use (default router $router2): > pass in on $ext_if reply-to (bge0 $router1) inet proto tcp from any to $web_addr port 443 keep state > it is not working. The following setup is working (default router $router1): > pass out on $ext_if route-to (bge0 $router2) inet proto tcp from any to any keep state > Is it bug or I do not understand the manual page correctly? > Thank you very much. > Regards, > lk > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?