From owner-freebsd-pf@FreeBSD.ORG Mon Oct 23 20:49:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E1D416A51A for ; Mon, 23 Oct 2006 20:49:53 +0000 (UTC) (envelope-from aristeu.jr@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0109B43D58 for ; Mon, 23 Oct 2006 20:49:52 +0000 (GMT) (envelope-from aristeu.jr@gmail.com) Received: by wr-out-0506.google.com with SMTP id 71so383431wri for ; Mon, 23 Oct 2006 13:49:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=NfOvSMN9kA3+EXLZOJCJ+5xQXGngo9GqxIKDX7I8iRAjVxSjftWJJM1/4LPHdnZSVHBx0cBypBT/9BZjQFQuulLViQD5tgvJlz2yORnJCE+YOAbHb8h7qgRO3ji0fjiTkVLbOAszLWnv4QxSB1R+Uvb4pZpyLcOtyO9h7mmPKC0= Received: by 10.35.39.13 with SMTP id r13mr7310410pyj; Mon, 23 Oct 2006 13:49:36 -0700 (PDT) Received: by 10.35.103.8 with HTTP; Mon, 23 Oct 2006 13:49:35 -0700 (PDT) Message-ID: <2c84c1de0610231349k1c303ff1ie790d498d3ce47db@mail.gmail.com> Date: Mon, 23 Oct 2006 18:49:35 -0200 From: "Aristeu Gil Alves Jr" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: reply-to+synproxy versus default route X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 20:49:53 -0000 he reply-to is not working when it is used with synproxy. The scenario is described bellow: gw-isp1 e gw-isp2 are the IP from ISP 1 and 2 gateways: /etc/pf.conf ------------------------------------ if_isp1="ed0" if_isp2="ed1" if_internal="ed2" route1="( ed0 gw-isp1 )" route2="( ed1 gw-isp2 )" rdr on $if_isp1 proto tcp to port 25 -> 192.168.0.2 port 25 rdr on $if_isp2 proto tcp to port 25 -> 192.168.0.2 port 25 block in log all pass in quick on $if_isp1 reply-to $rota1 proto tcp to 192.168.0.2 port 25 synproxy state pass in quick on $if_isp2 reply-to $rota2 proto tcp to 192.168.0.2 port 25 synproxy state pass out quick on $if_internal to 192.168.0.2 port 25 keep state -------- The default route is ISP1 gateway. -------- The problem is that even pf feeding the route, the reply packet obey the route imposed by system default route. Ex: Syn packet comes from ISP2 interface and goes out with ISP1, resulting in comunication failure. When I use keep state instead of synproxy state, the comunication goes as expected. -- Aristeu Gil Alves Jr