From owner-freebsd-pf@freebsd.org  Tue Jun 27 11:51:47 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C8E5DA8510
 for <freebsd-pf@mailman.ysv.freebsd.org>; Tue, 27 Jun 2017 11:51:47 +0000 (UTC)
 (envelope-from zeus@ibs.dn.ua)
Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [148.251.53.51])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "relay.ibs.dn.ua",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 2BADD301D
 for <freebsd-pf@freebsd.org>; Tue, 27 Jun 2017 11:51:46 +0000 (UTC)
 (envelope-from zeus@ibs.dn.ua)
Received: on behalf of honored client by relay.ibs.dn.ua with ESMTP id
 v5RBphVb016759
 for <freebsd-pf@freebsd.org> on Tue, 27 Jun 2017 14:51:44 +0300 (EEST)
Message-ID: <20170627145138.16758@relay.ibs.dn.ua>
Date: Tue, 27 Jun 2017 14:51:38 +0300
From: "Zeus Panchenko" <zeus@ibs.dn.ua>
To: <freebsd-pf@freebsd.org>
cc: 
Subject: [Q] what is the correct way to filter by remote pf?
Organization: I.B.S. LLC
Reply-To: "Zeus Panchenko" <zeus@ibs.dn.ua>
X-Attribution: zeus
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN
 cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F
 eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N
 ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw
 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5
 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG
 ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq
 zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe
 riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M
 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a
 mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs
 SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6
 7tXQAAAAASUVORK5CYII=
X-Mailer: MH-E 8.6; nil; GNU Emacs 25.1.1
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2017 11:51:47 -0000

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

greetings

please, advise

WHAT I HAVE:

            routerB <-> netX/16
               ^
               |
               V
clients <-> routerA <-> netX/24


WHAT I NEED:
to provide `clients <-> netX/24' traffic on the base of routerB pf rules
so, the very decission to pass or to block have to be done on routerB



HOW I THINK TO DO THAT:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
VARIANT I
=2D -----------------------------------------------------------------------=
----------

=2D ---[ routerA pf.conf quotation start ]---------------------------------=
----------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24=
> tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagge=
d TO_AUTH
...
=2D ---[ routerA pf.conf quotation end   ]---------------------------------=
----------

=2D ---[ routerB pf.conf quotation start ]---------------------------------=
----------
...
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to=
 <netX24> tag AUTHED
pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagge=
d AUTHED
block <clients> to <netX>
...
=2D ---[ routerB pf.conf quotation end   ]---------------------------------=
----------


RESULTS: I see packets redirected to routerB, but there the packets are loo=
ping
	 untill the time to live exceeded



=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
VARIANT II
=2D -----------------------------------------------------------------------=
----------

=2D ---[ routerA pf.conf quotation start ]---------------------------------=
----------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24=
> tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagge=
d TO_AUTH
...
=2D ---[ routerA pf.conf quotation end   ]---------------------------------=
----------


=2D ---[ routerB configuration quotation start ]---------------------------=
----------

rc.conf
static_routes=3D"netX24"
route_netX24=3D"-net A.B.C.0/24 $routerA_ip"


pf.conf
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to=
 <netX24> tag AUTHED
block <clients> to <netX24>

=2D ---[ routerB configuration quotation end   ]---------------------------=
----------


RESULTS: are same as for VARIANT I



=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
VARIANT III
=2D -----------------------------------------------------------------------=
----------

something else ...
may it relate to pfsync somehow?


=2D --=20
Zeus V. Panchenko				jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)
=2D----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej
KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA=3D
=3DZCm0
=2D----END PGP SIGNATURE-----