From owner-freebsd-net@freebsd.org Wed Apr 5 18:21:18 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB48AD30C1B for ; Wed, 5 Apr 2017 18:21:18 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [88.199.43.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plan-b.pwste.edu.pl", Issuer "plan-b.pwste.edu.pl" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 53CACDEA for ; Wed, 5 Apr 2017 18:21:17 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (zarychtam@localhost [127.0.0.1]) by plan-b.pwste.edu.pl (8.15.2/8.15.2) with ESMTPS id v35IALL4082406 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 5 Apr 2017 20:10:21 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: (from zarychtam@localhost) by plan-b.pwste.edu.pl (8.15.2/8.15.2/Submit) id v35IALTk082404; Wed, 5 Apr 2017 20:10:21 +0200 (CEST) (envelope-from zarychtam) Date: Wed, 5 Apr 2017 20:10:21 +0200 From: Marek Zarychta To: Nils Beyer Cc: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <20170405181021.GA76030@plan-b.pwste.edu.pl> References: <4956261.2DO1X0b8Gd@asbach.renzel.net> <20170405113352.GB20974@zxy.spb.ru> <29877.6759453633$1491395346@news.gmane.org> <201704051246.v35CkKB3028504@plan-b.pwste.edu.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline In-Reply-To: <201704051246.v35CkKB3028504@plan-b.pwste.edu.pl> User-Agent: Mutt/1.8.0 (2017-02-23) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 18:21:19 -0000 --azLHFNyN32YCQGCU Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 05, 2017 at 02:46:06PM +0200, Nils Beyer wrote: > I wrote: > > If I try > >=20 > > ping -S 8.0.0.1 8.8.8.8 > >=20 > > or > >=20 > > ping -S 9.0.0.1 8.8.8.8 > >=20 > > I always see packets only going out on the default gateway's interface. >=20 > sorry, my fault. After issuing a "pfctl -F all", these ICMP packets are > now going through the designated interface. >=20 > The problem by externally induced responses are still there, though... >=20 With PF each IP packet can be "tricky" forwarded or replied using right "ro= ute-to" or "reply-to" rules. Let's assume ext_if_1 is default interface and all packets originating from= the host via default GW have source address of ext_if_1. ext_if_2 is a bac= kup interface and ip_gw_2 is its GW. Rules below should do the job for ICMP echo requests, almost any TCP servic= e and some fine written (in the terms of code quality) UDP services: pass in quick on $ext_if_1 \ inet proto icmp all \ icmp-type 8 code 0 keep state pass in quick on $ext_if_2 reply-to ($ext_if_2 $ip_gw_2) \ inet proto icmp all \ icmp-type 8 code 0 keep state pass in quick on $ext_if_1 \ inet proto {tcp, udp} \ from any \ to $ext_if_1 keep state pass in quick on $ext_if_2 \ reply-to ($ext_if_2 $ip_gw_2) \ inet proto {tcp, udp} \ from any \ to $ext_if_2 keep state If your machine is not forwarding packets, then take a look at setfbib (1) = because PF "route-to" is IMHO reserved for routing purposes only. Best regards, --=20 Marek Zarychta --azLHFNyN32YCQGCU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAljlMwkACgkQdZ/s//1S jSyNUAf9HSKc0CdXj7McO4lQbsnyX9n4rZKzY3aKWOmq9skP5b51eIe3EaAUDem+ jZwA9KPRfdEAz5eLDuhV0WyX0fihEzccOwV+sAU+dnhVB0lkp+mhddHWM1UNtGvd rX4X/lJmOe2zmwvxYuU3C9M1oPemNg3KCE32qid1gug5geeasU9QfXHPKGUWqQSE ato++cF4bFcoiqc4PfMY8PhaE7UQ2/R4EgQwP+8Yqidfsvfz27Ti5XBUSxNgU6fV GbC2W4uaEsgzMdjKUbF03ySZ0eKyU85+0KErh9Zv5X28AdIvaJxcmSSKuev5oHZn 4N9D5Tv2JnnN1gUC6zi5KIXSOw7Geg== =FZ2G -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU--