From owner-freebsd-pf@FreeBSD.ORG Sat Jul 15 15:49:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 025BC16A4DD for ; Sat, 15 Jul 2006 15:49:24 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from illusion.skoberne.net (illusion.skoberne.net [84.255.205.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DB9F43D45 for ; Sat, 15 Jul 2006 15:49:23 +0000 (GMT) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by illusion.skoberne.net (Postfix) with ESMTP id 610A4B84B; Sat, 15 Jul 2006 17:49:22 +0200 (CEST) Received: from illusion.skoberne.net ([127.0.0.1]) by localhost (Illusion.skoberne.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 85067-06; Sat, 15 Jul 2006 17:49:21 +0200 (CEST) Received: from [192.168.1.64] (84-255-241-13.dsl.t-2.net [84.255.241.13]) by illusion.skoberne.net (Postfix) with ESMTP id 6B80DB848; Sat, 15 Jul 2006 17:49:21 +0200 (CEST) Message-ID: <44B90E76.2080808@skoberne.net> Date: Sat, 15 Jul 2006 17:49:10 +0200 From: Nejc Skoberne User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Odhiambo WASHINGTON References: <44B75A3D.5060108@skoberne.net> <8eea04080607141609n1270f57dva21efcd2d8eb5789@mail.gmail.com> <44B82950.8050905@skoberne.net> <20060715084102.GA63164@ns2.wananchi.com> In-Reply-To: <20060715084102.GA63164@ns2.wananchi.com> Content-Type: multipart/mixed; boundary="------------040608010606080302020005" X-Virus-Scanned: amavisd-new at skoberne.net X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Multihoming with route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jul 2006 15:49:24 -0000 This is a multi-part message in MIME format. --------------040608010606080302020005 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello, I changed the pf.conf a little, so it fits to my needs (I also need multihoming for a server which is reachable via forwarded port). So TCP and ICMP work correctly now. However, I still have problems with UDP services. For example, I also run a DNS server on this FreeBSD server. If I try to resolve some host using this DNS server by some third party machine like this: $ nslookup host.domain.com A.B.C.D # See the first post for topology description it works smoothly. If I try to use the server's second IP (E.F.G.H), the DNS reply gets stuck in between. After tcpdumping the connection, I realized that even the destination IP in DNS request is E.F.G.H, the source address of DNS reply is A.B.C.D! That is why route-to rule doesn't work any more. If I remember correctly, this is due to the fact, that UDP is connectionless protocol and the DNS server doesn't have to bind to a specific address and port when sending an UDP packet (DNS reply). Therefore it uses the source IP address of the interface via which it tries to send the reply (default route). How could I solve this problem? > May I please see how your final pf.conf now looks like? You can find it here: http://nejc.skoberne.net/pf.conf I incorporated the reply-to rules directly in my filtering definitions. Do not hesitate to ask for further explanation of the rules. Thanks & bye. Nejc --------------040608010606080302020005--