From owner-freebsd-net@freebsd.org Fri Apr 7 01:40:36 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DCCCD31F02 for ; Fri, 7 Apr 2017 01:40:36 +0000 (UTC) (envelope-from takahiro.kurosawa@gmail.com) Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3AB0ADCA for ; Fri, 7 Apr 2017 01:40:36 +0000 (UTC) (envelope-from takahiro.kurosawa@gmail.com) Received: by mail-qt0-x234.google.com with SMTP id v3so952941qtd.3 for ; Thu, 06 Apr 2017 18:40:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xTKH3Xy0mbv7s9PXbwp78zFfMG8REBGOCNpA27NxWuA=; b=NqH6+AUiSChKpo4MMdg0KcXai7j+aQV8TniSbX7STNN/b6b3FE5898eAO7pxSh5FEc /hO8xUiG/x2xSbd4OapAKplv3Z05FSWH/xB9tCwlZHhvn8nQABPgh3NE126Hm6vVF19a 4K8S85ki+XVNO4vVDPBbN2NYA+BpWmnYCxhDJSAig19ZiUg+BTcMsSe9c2YMFuvrskXx GXBj+xuGr/PP1n4TQ9AGkN0jqVq68cAFXw1NnCHmt9tU5lBM7f3NzI0qx8c7E4CfWaTd TYrAP2ppWLf8A7s7aWhACDWstLpN9j3Sih/uiE43r9HtDqkv9ax6MvIQ0xRSOtYJlHHG h/Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xTKH3Xy0mbv7s9PXbwp78zFfMG8REBGOCNpA27NxWuA=; b=soj4STOhZXIw49U6wdGJ2Y9nTVCgfA5Zl7sfhwC5YxVKp+sB4GTCcaJFC1j+w4pnHA w9nxqz2j7DYy7rvdvno8Bafn0zrW3oulm45srfdHxcrbPvoIYuGM9muTKJ+sMsQ1DJRC 320n5zHuhqOYWTAr2sXIWwnybfnM0moabDSPGQspI/U0HMYvk/VbOsQLICeC6KcB91UQ pZ6JPYU9fQK6hcSiXiiBd41FRlKJzDWoMy6VSaLF3Jm9rmx6cAekYx0goGxRV/q3igez r+DvVKkADotkUYLtfM+YAcv7v2DD/jHMFv3uRqg/16kePr3c2CK8+Q9V1jgfyoQfiugB xLEw== X-Gm-Message-State: AFeK/H1t8fYPoatrYdCyQryRa3U8Q266xXzOUBhcKWw5c4WSUyTW7eDeHCrUSr8UBxi+pkIIH5L3e+QtHGyA5g== X-Received: by 10.237.36.212 with SMTP id u20mr36683380qtc.290.1491529234271; Thu, 06 Apr 2017 18:40:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.102.134 with HTTP; Thu, 6 Apr 2017 18:40:33 -0700 (PDT) In-Reply-To: <4956261.2DO1X0b8Gd@asbach.renzel.net> References: <4956261.2DO1X0b8Gd@asbach.renzel.net> From: Takahiro Kurosawa Date: Fri, 7 Apr 2017 10:40:33 +0900 Message-ID: Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... To: Nils Beyer Cc: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Apr 2017 01:40:36 -0000 2017-04-05 20:20 GMT+09:00 Nils Beyer : > That's my "pf.conf" > ------------------------------------------------------------------------------ > scrub in all > > block in log > pass in inet proto icmp > pass in inet proto tcp to port { ssh } > pass on lo0 > > pass out > pass out on wan1 route-to (wan2 9.0.0.254) from wan2 > pass out on wan2 route-to (wan1 8.0.0.254) from wan1 > ------------------------------------------------------------------------------ What if you change the line: > pass in inet proto tcp to port { ssh } to: pass in inet proto tcp to port { ssh } no state Without "no state", the incoming ssh packet generates a pf state entry, then the response packets are probably passed by the state instead of using "route-to" rules.