From owner-freebsd-pf@FreeBSD.ORG Sat Feb 28 22:34:39 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC0AC1065679 for ; Sat, 28 Feb 2009 22:34:39 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 78F058FC08 for ; Sat, 28 Feb 2009 22:34:39 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n1SMYT2P009536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 28 Feb 2009 17:34:38 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <49A9BBF5.1060706@uffner.com> Date: Sat, 28 Feb 2009 17:34:29 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.19) Gecko/20090125 SeaMonkey/1.1.14 MIME-Version: 1.0 To: Zinevich Denis References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> In-Reply-To: <49A8FED7.3000603@ngc.net.ua> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9056/Sat Feb 28 00:10:15 2009 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: freebsd 7.1 pf route-to connection stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 22:34:40 -0000 Zinevich Denis wrote: > "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not > work. But anyway question is not in syntax of rules, because nobody > touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3 > > Network is quite simple. > Server has 2 cards bce0 and bce1 > bce0 - 172.20.51.10 > bce1 - 172.20.1.130 > default gw - 172.20.1.1 > networks are /24 > > As i described before qoal of my rule is to ignore default route when > request comes on 172.20.51.10. > Without such rule reply will go to 172.20.1.1 and with pf rule it will > go out to 172.20.51.1 via bce0. > For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from > 172.20.51.10 to any > >> Link wrote: >>> My full configuration is: >>> >>> if_bce0="bce0" >>> if_bce0_gw="172.20.51.1" >>> if_bce1="bce1" >>> >>> scrub in all >>> >>> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 to >>> any no state flags any I apologize for misunderstanding the part of your reply about FreeBSD 7.1 patchlevels. I realized my error too late after i had sent the message. The simplest way to do what you want doesn't involve a firewall at all. simply configure the devices on the 172.20.51/24 network with the following routes: Destination Gateway default 172.20.51.1 172.20.1/24 172.20.51.10 if this is not possible for some reason and you must bounce them through the firewall, i think the rules you want are: pass in quick on $if_bce0 from any to { 172.20.51.10 172.20.1/24 } pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) \ from $if_bce0:network to any according to my understanding of pf syntax, it was probably a bug that your ruleset ever worked. "... from $if_bce0 ..." should have matched only packets from the local server w/ source addresses of 172.20.51.10. just adding :network to the $if_bce0 in the from clause in your rule should make it do what you want, but is quite inefficient. you are checking every outbound packet on bce1 after all of the normal processing & routing has been done, rewriting the ones that arrived on bce0 and sending them back through the network subsystem again. it would be better to check the in-bound packets on bce0, accept the ones destined for the local host or the 172.20.1/24 network, and re-route the ones that would use the default gw. tom