Date: Sat, 28 Feb 2009 17:34:29 -0500 From: Tom Uffner <tom@uffner.com> To: Zinevich Denis <link@ngc.net.ua> Cc: freebsd-pf@freebsd.org Subject: Re: freebsd 7.1 pf route-to connection stall Message-ID: <49A9BBF5.1060706@uffner.com> In-Reply-To: <49A8FED7.3000603@ngc.net.ua> References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Zinevich Denis wrote:
> "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not
> work. But anyway question is not in syntax of rules, because nobody
> touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3
>
> Network is quite simple.
> Server has 2 cards bce0 and bce1
> bce0 - 172.20.51.10
> bce1 - 172.20.1.130
> default gw - 172.20.1.1
> networks are /24
>
> As i described before qoal of my rule is to ignore default route when
> request comes on 172.20.51.10.
> Without such rule reply will go to 172.20.1.1 and with pf rule it will
> go out to 172.20.51.1 via bce0.
> For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from
> 172.20.51.10 to any
>
>> Link wrote:
>>> My full configuration is:
>>>
>>> if_bce0="bce0"
>>> if_bce0_gw="172.20.51.1"
>>> if_bce1="bce1"
>>>
>>> scrub in all
>>>
>>> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 to
>>> any no state flags any
I apologize for misunderstanding the part of your reply about FreeBSD 7.1
patchlevels. I realized my error too late after i had sent the message.
The simplest way to do what you want doesn't involve a firewall at all.
simply configure the devices on the 172.20.51/24 network with the following
routes:
Destination Gateway
default 172.20.51.1
172.20.1/24 172.20.51.10
if this is not possible for some reason and you must bounce them through
the firewall, i think the rules you want are:
pass in quick on $if_bce0 from any to { 172.20.51.10 172.20.1/24 }
pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) \
from $if_bce0:network to any
according to my understanding of pf syntax, it was probably a bug that
your ruleset ever worked. "... from $if_bce0 ..." should have matched
only packets from the local server w/ source addresses of 172.20.51.10.
just adding :network to the $if_bce0 in the from clause in your rule
should make it do what you want, but is quite inefficient. you are checking
every outbound packet on bce1 after all of the normal processing & routing
has been done, rewriting the ones that arrived on bce0 and sending them
back through the network subsystem again.
it would be better to check the in-bound packets on bce0, accept the ones
destined for the local host or the 172.20.1/24 network, and re-route the
ones that would use the default gw.
tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49A9BBF5.1060706>