Date: Thu, 6 Apr 2017 18:56:33 +0200 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: Nils Beyer <nbe@renzel.net>, tingmultiplefibsandadequatePFrulesendingwithrtablefibstatementsseemstobethebestchoiceIMHO.@plan-b.pwste.edu.pl Cc: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <20170406165633.GA94134@plan-b.pwste.edu.pl> In-Reply-To: <201704060709.v36797pJ035503@plan-b.pwste.edu.pl> References: <4956261.2DO1X0b8Gd@asbach.renzel.net> <20170405113352.GB20974@zxy.spb.ru> <29877.6759453633$1491395346@news.gmane.org> <201704051246.v35CkKB3028504@plan-b.pwste.edu.pl> <20170405181021.GA76030@plan-b.pwste.edu.pl> <201704060709.v36797pJ035503@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 06, 2017 at 09:08:49AM +0200, Nils Beyer wrote: > Marek Zarychta wrote: > > pass in quick on $ext_if_1 \ > > [...] > > pass in quick on $ext_if_2 reply-to ($ext_if_2 $ip_gw_2) \ > > [...] > > pass in quick on $ext_if_1 \ > > [...] > > pass in quick on $ext_if_2 \ >=20 > that's what I meant in my opening post - you have to create a rule for > every possible gateway. It even gets more complex if your server itself > is a gateway for other servers in your network and you have to distribute > outgoing traffic depending on the requesting server in your network. >=20 > So something simple like: > -------------------------------------------------------------------------= ----- > ipfw add 60000 fwd $ip_gw_2 all from $ext_net_2 to any via $ext_if_1 > ipfw add 60001 fwd $ip_gw_1 all from $ext_net_1 to any via $ext_if_2 > -------------------------------------------------------------------------= ----- >=20 > is not possible with PF? >=20 I think it will not be possible with PF since both firewalls were projected= with quite different approach in mind. PF and IPFW can be still successful= ly run together and combined on the same machine, but it needs some investi= gation how the packet flow looks like in such scenarios. Setting multiple fibs and adequate PF rules ending with "rtable fib" statem= ents seems to be the best choice IMHO. Best regards, --=20 Marek Zarychta --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAljmcz4ACgkQdZ/s//1S jSxKdgf/fXb8PVbmrhngFfwsf2t6kBDm8F8Xpyv5P7MIxoL/Yk4ET4Dcbc0u1aer Uhe37r74iSn6BHBpsS9mgmO+vCjHGtoBTSnstpf+7MBzLfI4eS9xV2nj6bJo/I0p xIMhs9hYAYKalrZpxZ/osKPAdUHRd9YUt8jldegUxgYtJq3ppFhrKn6r+Z8Ph0mL kNKzTRfpmdrlDuckSJwGNvTWWAe6jGOukJJopzTuytZXJKqc4Fugw30ofv9BDcyl scn1SH3SG2x9ydo1JcKMe20O1ePlAwzGjy59RxzqklPVKH2BY+M6sIgbN+rOXLUB FCMstWJEhw+TA/o2AyBXfrVZpiJYpg== =6BHR -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170406165633.GA94134>