Date: Sun, 7 Dec 2025 17:28:49 -0500 From: Michael Butler <imb@protected-networks.net> To: freebsd-current <freebsd-current@freebsd.org> Subject: fib selection and persistence using ipfw Message-ID: <20350073-abc5-4116-9fd7-8e8f708a26d4@protected-networks.net>
index | next in thread | raw e-mail
Having two upstream providers, I'm trying to enforce symmetric routing
which, in OpenBSD's pf config can be implemented using ..
# Inbound control-plane to the firewall itself (per-WAN reply-to for
symmetry)
pass in on $wan_a proto { tcp, udp, icmp } to ($wan_a) \
reply-to ($wan_a $gw_a) keep state
pass in on $wan_b proto { tcp, udp, icmp } to ($wan_b) \
reply-to ($wan_b $gw_b) keep state
I've tried all manner of ipfw packet tagging in the hope that it would
yield similar results, e.g.
setfib 1 ip from any to any recv tap0
setfib 1 ip from any to any tagged 1
count tag 1 ip from any to any recv tap0
[ .. ]
check-state
allow ip from .. keep-state
deny log ip from any to any
Is anyone else doing something like this on -current?
Michael
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20350073-abc5-4116-9fd7-8e8f708a26d4>