Date: Fri, 7 Apr 2017 10:40:33 +0900 From: Takahiro Kurosawa <takahiro.kurosawa@gmail.com> To: Nils Beyer <nbe@renzel.net> Cc: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <CADDnucn51R2vzyPGKOjiAzj5kjuCZ3gRPCkwFn5RoC%2B338=bvQ@mail.gmail.com> In-Reply-To: <4956261.2DO1X0b8Gd@asbach.renzel.net> References: <4956261.2DO1X0b8Gd@asbach.renzel.net>
next in thread | previous in thread | raw e-mail | index | archive | help
2017-04-05 20:20 GMT+09:00 Nils Beyer <nbe@renzel.net>:
> That's my "pf.conf"
> ------------------------------------------------------------------------------
> scrub in all
>
> block in log
> pass in inet proto icmp
> pass in inet proto tcp to port { ssh }
> pass on lo0
>
> pass out
> pass out on wan1 route-to (wan2 9.0.0.254) from wan2
> pass out on wan2 route-to (wan1 8.0.0.254) from wan1
> ------------------------------------------------------------------------------
What if you change the line:
> pass in inet proto tcp to port { ssh }
to:
pass in inet proto tcp to port { ssh } no state
Without "no state", the incoming ssh packet generates a pf state entry,
then the response packets are probably passed by the state instead of
using "route-to" rules.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADDnucn51R2vzyPGKOjiAzj5kjuCZ3gRPCkwFn5RoC%2B338=bvQ>