From owner-freebsd-net@FreeBSD.ORG Thu Mar 20 14:40:49 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DDDE1065679 for ; Thu, 20 Mar 2008 14:40:49 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id F08C98FC19 for ; Thu, 20 Mar 2008 14:40:48 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id 368AA1B10EFC; Thu, 20 Mar 2008 15:40:47 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blah.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 Received: from hater.haters.org (hater.cmotd.com [192.168.3.125]) by blah.sun-fish.com (Postfix) with ESMTP id 5359E1B10EBB; Thu, 20 Mar 2008 15:40:38 +0100 (CET) Message-ID: <47E27766.6010901@moneybookers.com> Date: Thu, 20 Mar 2008 16:40:38 +0200 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.12 (X11/20080229) MIME-Version: 1.0 To: Eygene Ryabinkin References: <47E25F45.8010805@moneybookers.com> <47E26A10.4040305@moneybookers.com> In-Reply-To: Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/6310/Thu Mar 20 07:02:00 2008 on blah.cmotd.com X-Virus-Status: Clean Cc: freebsd-net@freebsd.org, Vlad GALU Subject: Re: route-to not working X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2008 14:40:49 -0000 Greetings, Eygene Ryabinkin wrote: > Stefan, good day. > > Thu, Mar 20, 2008 at 03:43:44PM +0200, Stefan Lambrev wrote: > >>>> But here is working example which you can improve off course. >>>> >>>> #dual home >>>> pass in on $ext_if1 reply-to ($ext_if1 $gw1) from any to $external_addr1 >>>> keep state >>>> pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any >>>> pass in on $ext_if2 reply-to ($ext_if2 $gw2) from any to $external_addr2 >>>> keep state >>>> pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any >>>> >>>> #dual home ssh only >>>> pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any >>>> pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any >>>> pass in on $ext_if1 reply-to ($ext_if1 $gw1) proto tcp from any to >>>> $external_addr1 port 22 keep state >>>> pass in on $ext_if2 reply-to ($ext_if2 $gw2) proto tcp from any to >>>> $external_addr2 port 22 keep state >>>> > [...] > >> You forget that the first rule to match wins and keep state (which is on by >> default in 7.0) will make replies to match the state not the pass out rules. >> > > May be I am badly interpreting the last sentence, but in pf, the > last rule that matches (or the first rule with the 'quick' keyword) > wins. The above rules are just decoupled from each other, because > they are differing in the interface/direction. And sure, when the > state is created, the subsequent packets are not passed through the > ruleset. Am I missing something? > Yes you are absolutely right - last rule, that match will win, and there is only one rule that will match incoming packets and will create state, thus preventing outgoing packets to match anything else, just this state. > Thank you. > -- Best Wishes, Stefan Lambrev ICQ# 24134177