From owner-freebsd-net@freebsd.org Mon Sep 21 07:36:10 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 50ADF3E89F2 for ; Mon, 21 Sep 2020 07:36:10 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Bvx7s4ZNrz3cKJ for ; Mon, 21 Sep 2020 07:36:09 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 08L7ZqpV049391 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 21 Sep 2020 07:35:53 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: list1@gjunka.com Received: from [10.58.0.10] (dadvw [10.58.0.10]) by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 08L7Zw05015711 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 21 Sep 2020 14:35:58 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: sshd on two fibs To: Grzegorz Junka , freebsd-net@freebsd.org References: <48e3aa5d-3123-45f2-5c46-6851ad90110a@gjunka.com> <4d78a442-147f-db32-72ae-487d3e0197cc@grosbein.net> <9ff48087-b24e-263c-b1c2-030318722ec1@gjunka.com> From: Eugene Grosbein Message-ID: Date: Mon, 21 Sep 2020 14:35:50 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <9ff48087-b24e-263c-b1c2-030318722ec1@gjunka.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * -0.0 SPF_PASS SPF: sender matches SPF record * 2.6 LOCAL_FROM From my domains * -0.0 NICE_REPLY_A Looks like a legit reply (A) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 4Bvx7s4ZNrz3cKJ X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [-2.24 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.956]; FREEFALL_USER(0.00)[eugen]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; NEURAL_HAM_LONG(-1.03)[-1.028]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[empty SPF record]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.15)[-0.151]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2020 07:36:10 -0000 21.09.2020 14:21, Grzegorz Junka wrote: >> All you need is telling kernel to use right gateway based on source IP address despite of default route, >> this is called policy-based routing and you can achieve that with single ipfw rule: >> >> ipfw add 2000 fwd $gateway2 ip from $wan2ip to any out xmit $wan1 >> >> That is: redirect IP packets with source of second WAN interface ($wan2ip) to right gateway of that WAN ($gateway2) >> if they are going using (wrong) route to WAN1. That's all. > > Thanks Eugene. I am reluctant to add firewall rules because the second interface is configured as being in fib 1. Existance of the fib 1 does not matter for your case, at all. > This is so that jails, which are also started with fib 1, can use the proper routing table. Exactly. > I don't want to add complexity where it isn't necessary, unless there is no other option. Me too. And single ipfw rule is minimal possible addition, all other solutions are more complex. > Is it possible to somehow configure sshd to use the proper routing table? It is possible but it won't help you because every routing table contains routes that do NOT depend on source IP address of the packet and you need such policy-based routing. Standard routing tables do not offer policy-based routing, so they are useless for you. You could read rc.conf(5) manual page to learn about _fib knob (f.e. sshd_fib="1") but it won't solve your problem. You could also add your own startup script to run second copy of sshd with its own PID file and listening IP address and FIB but that would be much more complex solution. Just tell kernel you need policy-based routing with ipfw. This just works. No need to utilize second FIB just because you already have it.