From owner-freebsd-net@FreeBSD.ORG Tue Mar 13 03:25:07 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3032016A400 for ; Tue, 13 Mar 2007 03:25:07 +0000 (UTC) (envelope-from ale@seudns.net) Received: from mx1.e-filter.com.br (mx.e-filter.com.br [201.54.26.3]) by mx1.freebsd.org (Postfix) with SMTP id 44A0613C45B for ; Tue, 13 Mar 2007 03:25:00 +0000 (UTC) (envelope-from ale@seudns.net) Received: (qmail 25203 invoked from network); 13 Mar 2007 02:58:46 -0000 Received: from unknown (HELO ?192.168.100.20?) (192.168.100.20) by 0 with SMTP; 13 Mar 2007 02:58:46 -0000 Received-SPF: none (192.168.99.3: domain of ale@seudns.net does not designate permitted sender hosts) Message-ID: <45F61346.6050808@seudns.net> Date: Mon, 12 Mar 2007 23:58:14 -0300 From: Alexandre Biancalana User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Tom Judge References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> <45F58D1D.8080304@tomjudge.com> <45F59254.2050907@seudns.net> <45F5A395.9010309@tomjudge.com> <45F5CF26.6070100@seudns.net> <45F5D3FD.8070802@tomjudge.com> In-Reply-To: <45F5D3FD.8070802@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2007 03:25:07 -0000 Tom Judge wrote: > Alexandre Biancalana wrote: >> Tom Judge wrote: >>> Alexandre Biancalana wrote: >>>> Tom Judge wrote: >>>>> Alexandre Biancalana wrote: >>>>>> Tom Judge wrote: >>>>>>> Alexandre Biancalana wrote: >>>>>>>> Tom Judge wrote: >>>>>>>>> Alexandre Biancalana wrote: >>>>>>>>>> Hi List, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two >>>>>>>>>> internet links but I can't do the route-to rule function as I >>>>>>>>>> need. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> (default gw) ______ >>>>>>>>>> Link A <-----------> |int A | >>>>>>>>>> | | >>>>>>>>>> Link B <-----------> |int B | >>>>>>>>>> |______| >>>>>>>>>> FreeBSD FW >>>>>>>>>> >>>>>>>>>> A simple thing that I need to do is test the two Internet >>>>>>>>>> links to know if they are up or not. To do this I could ping >>>>>>>>>> or connect tcp ports on some external ips thought each link, >>>>>>>>>> using nc and hping I tried do this generate >>>>>>>>>> connections/packets from each network interface connected to >>>>>>>>>> each link but the packets always go out by the interface >>>>>>>>>> indicated by machines default route. >>>>>>>>>> >>>>>>>>>> I tried to add this rules in pf to force packets out by the >>>>>>>>>> right interface based in your source address, but this does >>>>>>>>>> not work, and the packets generated with ip of int B are >>>>>>>>>> going out by int A. >>>>>>>>>> >>>>>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from >>>>>>>>>> $int_b to any >>>>>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from >>>>>>>>>> $int_a to any >>>>>>>>>> > > > >> I understand that, I just don't see much difference in your rules and >> my rules example... the both examples should work... but here none >> off then work..... >> >> Adding a static destination route to an external host via gw_b and >> ping with int_a address, the packet exit by int_b with int_a source >> address... the same behavior... >> >> I tried your way: >> >> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to ! >> int_b:network >> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to ! >> int_a:network >> >> >> # pfctl -vv -sr >> @28 pass out log on int_a route-to (int_b int_b_gw) inet from >> int_b_ip to ! int_b:network >> [ Evaluations: 88 Packets: 0 Bytes: 0 >> States: 0 ] >> @29 pass out log on int_b route-to (int_a int_a_gw) inet from int_a >> to ! int_a:network >> [ Evaluations: 80 Packets: 0 Bytes: 0 >> States: 0 ] >> >> Any more hints ?! > > Han Hwei Woo wrote: > > Just to be certain, are you aware that for PF, the last matching > rule is > > applied? Also, you can use the command: > > # pfctl -vv -sr > > to examine how your rules are being matched. > > Try the following which forces the first rule the packet matches > (marked with quick) to be the final rule used to process the packet: > > pass out quick log on $int_a route-to ( $int_b $int_b_gw ) from $int_b > to ! int_b:network > pass out quick log on $int_b route-to ( $int_a $int_a_gw ) from $int_a > to ! int_a:network I added an keep state at end of each rule and now all works ! I will do more tests and report any problem... Thanks in advance !!! Alexandre