From owner-freebsd-net@freebsd.org Wed Apr 5 12:29:04 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22443D2CBB3 for ; Wed, 5 Apr 2017 12:29:04 +0000 (UTC) (envelope-from nbe@renzel.net) Received: from nijmegen.renzel.net (mx1.renzel.net [195.243.213.130]) by mx1.freebsd.org (Postfix) with ESMTP id DCA98839 for ; Wed, 5 Apr 2017 12:29:03 +0000 (UTC) (envelope-from nbe@renzel.net) X-Virus-Scanned: GDATA Antivirus at gdata-milter.renzel.de.isb X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=-7.5 required=7.0 tests=ALL_TRUSTED,BAYES_00, MISSING_MID autolearn=no version=3.3.2 Received: from dublin.vkf.isb.de.renzel.net (unknown [10.0.0.80]) by nijmegen.renzel.net (smtpd) with ESMTP id 7D4CB141480F for ; Wed, 5 Apr 2017 14:29:00 +0200 (CEST) Received: from asbach.renzel.net (unknown [172.18.96.1]) by dublin.vkf.isb.de.renzel.net (Postfix) with ESMTP id 77D498125D for ; Wed, 5 Apr 2017 14:29:00 +0200 (CEST) Content-Type: text/plain; charset="ISO-8859-1" From: Nils Beyer Organization: VKF Renzel GmbH Date: Wed, 05 Apr 2017 14:29 +0200 User-Agent: KNode/4.14.10 Content-Transfer-Encoding: 7Bit Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... To: freebsd-net@freebsd.org References: <4956261.2DO1X0b8Gd@asbach.renzel.net> <20170405113352.GB20974@zxy.spb.ru> Lines: 37 MIME-Version: 1.0 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on nijmegen.renzel.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 12:29:04 -0000 Slawa Olhovchenkov wrote: > I.e. you can't build rules based on "replays", only on "origins", > source IP address generated packes (as you ipfw fwd rules). okay, let's ditch the word "reply". I meant it so that these packets are generated by a software due to incoming packets. If I try ping -S 8.0.0.1 8.8.8.8 or ping -S 9.0.0.1 8.8.8.8 I always see packets only going out on the default gateway's interface. So, I refine my question to: in what way are these PF rules: ------------------------------------------------------------------------------ pass out on wan1 route-to (wan2 9.0.0.254) from 9.0.0.1 pass out on wan2 route-to (wan1 8.0.0.254) from 8.0.0.1 ------------------------------------------------------------------------------ different to these IPFW rules: ------------------------------------------------------------------------------ ipfw add 65000 fwd 9.0.0.254 all from 9.0.0.1 to any via wan1 ipfw add 65001 fwd 8.0.0.254 all from 8.0.0.1 to any via wan2 ------------------------------------------------------------------------------ ? Regards, Nils