Date: Tue, 27 Jun 2017 14:51:38 +0300 From: "Zeus Panchenko" <zeus@ibs.dn.ua> To: <freebsd-pf@freebsd.org> Subject: [Q] what is the correct way to filter by remote pf? Message-ID: <20170627145138.16758@relay.ibs.dn.ua>
next in thread | raw e-mail | index | archive | help
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
greetings
please, advise
WHAT I HAVE:
routerB <-> netX/16
^
|
V
clients <-> routerA <-> netX/24
WHAT I NEED:
to provide `clients <-> netX/24' traffic on the base of routerB pf rules
so, the very decission to pass or to block have to be done on routerB
HOW I THINK TO DO THAT:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
VARIANT I
=2D -----------------------------------------------------------------------=
----------
=2D ---[ routerA pf.conf quotation start ]---------------------------------=
----------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24=
> tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagge=
d TO_AUTH
...
=2D ---[ routerA pf.conf quotation end ]---------------------------------=
----------
=2D ---[ routerB pf.conf quotation start ]---------------------------------=
----------
...
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to=
<netX24> tag AUTHED
pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagge=
d AUTHED
block <clients> to <netX>
...
=2D ---[ routerB pf.conf quotation end ]---------------------------------=
----------
RESULTS: I see packets redirected to routerB, but there the packets are loo=
ping
untill the time to live exceeded
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
VARIANT II
=2D -----------------------------------------------------------------------=
----------
=2D ---[ routerA pf.conf quotation start ]---------------------------------=
----------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24=
> tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagge=
d TO_AUTH
...
=2D ---[ routerA pf.conf quotation end ]---------------------------------=
----------
=2D ---[ routerB configuration quotation start ]---------------------------=
----------
rc.conf
static_routes=3D"netX24"
route_netX24=3D"-net A.B.C.0/24 $routerA_ip"
pf.conf
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to=
<netX24> tag AUTHED
block <clients> to <netX24>
=2D ---[ routerB configuration quotation end ]---------------------------=
----------
RESULTS: are same as for VARIANT I
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
VARIANT III
=2D -----------------------------------------------------------------------=
----------
something else ...
may it relate to pfsync somehow?
=2D --=20
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
=2D----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej
KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA=3D
=3DZCm0
=2D----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170627145138.16758>