From owner-freebsd-net@freebsd.org Wed Apr 5 13:26:06 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D2F9D2F2D7 for ; Wed, 5 Apr 2017 13:26:06 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 118D1D1 for ; Wed, 5 Apr 2017 13:26:06 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1cvkwk-000CmX-Hy; Wed, 05 Apr 2017 16:26:02 +0300 Date: Wed, 5 Apr 2017 16:26:02 +0300 From: Slawa Olhovchenkov To: Nils Beyer Cc: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <20170405132602.GC20974@zxy.spb.ru> References: <4956261.2DO1X0b8Gd@asbach.renzel.net> <20170405113352.GB20974@zxy.spb.ru> <29877.6759453633$1491395346@news.gmane.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 13:26:06 -0000 On Wed, Apr 05, 2017 at 02:46:06PM +0200, Nils Beyer wrote: > I wrote: > > If I try > > > > ping -S 8.0.0.1 8.8.8.8 > > > > or > > > > ping -S 9.0.0.1 8.8.8.8 > > > > I always see packets only going out on the default gateway's interface. > > sorry, my fault. After issuing a "pfctl -F all", these ICMP packets are > now going through the designated interface. > > The problem by externally induced responses are still there, though... Responses generated stateless, i.e. generated ICMP not "answered" to some packets, this is just ICMP packets destinated to some host and source address selected by routing and interface w/ default gateway.