Date: Thu, 6 Apr 2017 18:56:33 +0200 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: Nils Beyer <nbe@renzel.net>, tingmultiplefibsandadequatePFrulesendingwithrtablefibstatementsseemstobethebestchoiceIMHO.@plan-b.pwste.edu.pl Cc: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <20170406165633.GA94134@plan-b.pwste.edu.pl> In-Reply-To: <201704060709.v36797pJ035503@plan-b.pwste.edu.pl> References: <4956261.2DO1X0b8Gd@asbach.renzel.net> <20170405113352.GB20974@zxy.spb.ru> <29877.6759453633$1491395346@news.gmane.org> <201704051246.v35CkKB3028504@plan-b.pwste.edu.pl> <20170405181021.GA76030@plan-b.pwste.edu.pl> <201704060709.v36797pJ035503@plan-b.pwste.edu.pl>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Thu, Apr 06, 2017 at 09:08:49AM +0200, Nils Beyer wrote: > Marek Zarychta wrote: > > pass in quick on $ext_if_1 \ > > [...] > > pass in quick on $ext_if_2 reply-to ($ext_if_2 $ip_gw_2) \ > > [...] > > pass in quick on $ext_if_1 \ > > [...] > > pass in quick on $ext_if_2 \ > > that's what I meant in my opening post - you have to create a rule for > every possible gateway. It even gets more complex if your server itself > is a gateway for other servers in your network and you have to distribute > outgoing traffic depending on the requesting server in your network. > > So something simple like: > ------------------------------------------------------------------------------ > ipfw add 60000 fwd $ip_gw_2 all from $ext_net_2 to any via $ext_if_1 > ipfw add 60001 fwd $ip_gw_1 all from $ext_net_1 to any via $ext_if_2 > ------------------------------------------------------------------------------ > > is not possible with PF? > I think it will not be possible with PF since both firewalls were projected with quite different approach in mind. PF and IPFW can be still successfully run together and combined on the same machine, but it needs some investigation how the packet flow looks like in such scenarios. Setting multiple fibs and adequate PF rules ending with "rtable fib" statements seems to be the best choice IMHO. Best regards, -- Marek Zarychta [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAljmcz4ACgkQdZ/s//1S jSxKdgf/fXb8PVbmrhngFfwsf2t6kBDm8F8Xpyv5P7MIxoL/Yk4ET4Dcbc0u1aer Uhe37r74iSn6BHBpsS9mgmO+vCjHGtoBTSnstpf+7MBzLfI4eS9xV2nj6bJo/I0p xIMhs9hYAYKalrZpxZ/osKPAdUHRd9YUt8jldegUxgYtJq3ppFhrKn6r+Z8Ph0mL kNKzTRfpmdrlDuckSJwGNvTWWAe6jGOukJJopzTuytZXJKqc4Fugw30ofv9BDcyl scn1SH3SG2x9ydo1JcKMe20O1ePlAwzGjy59RxzqklPVKH2BY+M6sIgbN+rOXLUB FCMstWJEhw+TA/o2AyBXfrVZpiJYpg== =6BHR -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170406165633.GA94134>