Date: Wed, 5 Apr 2017 20:10:21 +0200 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: Nils Beyer <nbe@renzel.net> Cc: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <20170405181021.GA76030@plan-b.pwste.edu.pl> In-Reply-To: <201704051246.v35CkKB3028504@plan-b.pwste.edu.pl> References: <4956261.2DO1X0b8Gd@asbach.renzel.net> <20170405113352.GB20974@zxy.spb.ru> <29877.6759453633$1491395346@news.gmane.org> <201704051246.v35CkKB3028504@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Apr 05, 2017 at 02:46:06PM +0200, Nils Beyer wrote:
> I wrote:
> > If I try
> >=20
> > ping -S 8.0.0.1 8.8.8.8
> >=20
> > or
> >=20
> > ping -S 9.0.0.1 8.8.8.8
> >=20
> > I always see packets only going out on the default gateway's interface.
>=20
> sorry, my fault. After issuing a "pfctl -F all", these ICMP packets are
> now going through the designated interface.
>=20
> The problem by externally induced responses are still there, though...
>=20
With PF each IP packet can be "tricky" forwarded or replied using right "ro=
ute-to" or "reply-to" rules.
Let's assume ext_if_1 is default interface and all packets originating from=
the host via default GW have source address of ext_if_1. ext_if_2 is a bac=
kup interface and ip_gw_2 is its GW.
Rules below should do the job for ICMP echo requests, almost any TCP servic=
e and some fine written (in the terms of code quality) UDP services:
pass in quick on $ext_if_1 \
inet proto icmp all \
icmp-type 8 code 0 keep state
pass in quick on $ext_if_2 reply-to ($ext_if_2 $ip_gw_2) \
inet proto icmp all \
icmp-type 8 code 0 keep state
pass in quick on $ext_if_1 \
inet proto {tcp, udp} \
from any \
to $ext_if_1 keep state
pass in quick on $ext_if_2 \
reply-to ($ext_if_2 $ip_gw_2) \
inet proto {tcp, udp} \
from any \
to $ext_if_2 keep state
If your machine is not forwarding packets, then take a look at setfbib (1) =
because PF "route-to" is IMHO reserved for routing purposes only.
Best regards,
--=20
Marek Zarychta
--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAljlMwkACgkQdZ/s//1S
jSyNUAf9HSKc0CdXj7McO4lQbsnyX9n4rZKzY3aKWOmq9skP5b51eIe3EaAUDem+
jZwA9KPRfdEAz5eLDuhV0WyX0fihEzccOwV+sAU+dnhVB0lkp+mhddHWM1UNtGvd
rX4X/lJmOe2zmwvxYuU3C9M1oPemNg3KCE32qid1gug5geeasU9QfXHPKGUWqQSE
ato++cF4bFcoiqc4PfMY8PhaE7UQ2/R4EgQwP+8Yqidfsvfz27Ti5XBUSxNgU6fV
GbC2W4uaEsgzMdjKUbF03ySZ0eKyU85+0KErh9Zv5X28AdIvaJxcmSSKuev5oHZn
4N9D5Tv2JnnN1gUC6zi5KIXSOw7Geg==
=FZ2G
-----END PGP SIGNATURE-----
--azLHFNyN32YCQGCU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170405181021.GA76030>