From owner-freebsd-pf@FreeBSD.ORG Mon Mar 2 17:17:46 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02C4210656F2 for ; Mon, 2 Mar 2009 17:17:46 +0000 (UTC) (envelope-from link@ngc.net.ua) Received: from gw.kg.com.ua (host-105-117.emplot.net [194.246.117.105]) by mx1.freebsd.org (Postfix) with ESMTP id A4CEC8FC18 for ; Mon, 2 Mar 2009 17:17:45 +0000 (UTC) (envelope-from link@ngc.net.ua) Received: from [172.17.0.1] (port=56546 helo=macserv.itt-consulting.com) by gw.kg.com.ua with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1LeBkf-0009fo-Os; Mon, 02 Mar 2009 19:16:28 +0200 Received: from localhost (localhost [127.0.0.1]) by macserv.itt-consulting.com (Postfix) with ESMTP id 7222FFD8D3E; Mon, 2 Mar 2009 19:17:40 +0200 (EET) X-Virus-Scanned: amavisd-new at itt-consulting.com Received: from macserv.itt-consulting.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5zMPauVG1O4P; Mon, 2 Mar 2009 19:17:30 +0200 (EET) Received: from [172.17.20.254] (unknown [172.17.20.254]) by macserv.itt-consulting.com (Postfix) with ESMTP id BEDFDFD8D2D; Mon, 2 Mar 2009 19:17:30 +0200 (EET) Message-ID: <49AC14AA.2030808@ngc.net.ua> Date: Mon, 02 Mar 2009 19:17:30 +0200 From: Link User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: Tom Uffner References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> <49A9BBF5.1060706@uffner.com> In-Reply-To: <49A9BBF5.1060706@uffner.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.7 (/) Cc: freebsd-pf@freebsd.org Subject: Re: freebsd 7.1 pf route-to connection stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 17:17:46 -0000 Tom Uffner =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > Zinevich Denis wrote: >> "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not=20 >> work. But anyway question is not in syntax of rules, because nobody=20 >> touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3 >> >> Network is quite simple. >> Server has 2 cards bce0 and bce1 >> bce0 - 172.20.51.10 >> bce1 - 172.20.1.130 >> default gw - 172.20.1.1 >> networks are /24 >> >> As i described before qoal of my rule is to ignore default route when=20 >> request comes on 172.20.51.10. >> Without such rule reply will go to 172.20.1.1 and with pf rule it=20 >> will go out to 172.20.51.1 via bce0. >> For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from=20 >> 172.20.51.10 to any >> >>> Link wrote: >>>> My full configuration is: >>>> >>>> if_bce0=3D"bce0" >>>> if_bce0_gw=3D"172.20.51.1" >>>> if_bce1=3D"bce1" >>>> >>>> scrub in all >>>> >>>> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0=20 >>>> to any no state flags any > > I apologize for misunderstanding the part of your reply about FreeBSD 7= .1 > patchlevels. I realized my error too late after i had sent the message. > > The simplest way to do what you want doesn't involve a firewall at all. > simply configure the devices on the 172.20.51/24 network with the=20 > following > routes: > > Destination Gateway > default 172.20.51.1 > 172.20.1/24 172.20.51.10 > > if this is not possible for some reason and you must bounce them throug= h > the firewall, i think the rules you want are: > > pass in quick on $if_bce0 from any to { 172.20.51.10 172.20.1/24 } > pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) \ > from $if_bce0:network to any > > according to my understanding of pf syntax, it was probably a bug that > your ruleset ever worked. "... from $if_bce0 ..." should have matched > only packets from the local server w/ source addresses of 172.20.51.10. > > just adding :network to the $if_bce0 in the from clause in your rule > should make it do what you want, but is quite inefficient. you are=20 > checking > every outbound packet on bce1 after all of the normal processing &=20 > routing > has been done, rewriting the ones that arrived on bce0 and sending them > back through the network subsystem again. > > it would be better to check the in-bound packets on bce0, accept the on= es > destined for the local host or the 172.20.1/24 network, and re-route th= e > ones that would use the default gw. > > tom > Thanks for your reply. Tried rules you`ve listed. Does not help.... I`ve checked with tcpdump packets are still going out using default route= .