PF route-to behavior
Alexandre Biancalana
ale at seudns.net
Mon Mar 12 22:07:38 UTC 2007
Tom Judge wrote:
> Alexandre Biancalana wrote:
>> Tom Judge wrote:
>>> Alexandre Biancalana wrote:
>>>> Tom Judge wrote:
>>>>> Alexandre Biancalana wrote:
>>>>>> Tom Judge wrote:
>>>>>>> Alexandre Biancalana wrote:
>>>>>>>> Hi List,
>>>>>>>>
>>>>>>>>
>>>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two
>>>>>>>> internet links but I can't do the route-to rule function as I
>>>>>>>> need.
>>>>>>>>
>>>>>>>>
>>>>>>>> (default gw) ______
>>>>>>>> Link A <-----------> |int A |
>>>>>>>> | |
>>>>>>>> Link B <-----------> |int B |
>>>>>>>> |______|
>>>>>>>> FreeBSD FW
>>>>>>>>
>>>>>>>> A simple thing that I need to do is test the two Internet links
>>>>>>>> to know if they are up or not. To do this I could ping or
>>>>>>>> connect tcp ports on some external ips thought each link, using
>>>>>>>> nc and hping I tried do this generate connections/packets from
>>>>>>>> each network interface connected to each link but the packets
>>>>>>>> always go out by the interface indicated by machines default
>>>>>>>> route.
>>>>>>>>
>>>>>>>> I tried to add this rules in pf to force packets out by the
>>>>>>>> right interface based in your source address, but this does not
>>>>>>>> work, and the packets generated with ip of int B are going out
>>>>>>>> by int A.
>>>>>>>>
>>>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from
>>>>>>>> $int_b to any
>>>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from
>>>>>>>> $int_a to any
>>>>>>>>
>>>
>>>
>>>
>>> My mistake, I only looked at the header of the ping man page.
>>>
>>> These are the rules that I would use in that situation:
>>>
>>> if_a=em0
>>> ip_a=192.168.0.2
>>> gw_a=192.168.0.1
>>> net_a=192.168.0.0/24
>>> if_b=em1
>>> ip_a=192.168.1.2
>>> gw_a=192.168.1.1
>>> net_a=192.168.1.0/24
>>>
>>>
>>> pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b
>>> pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a
>>
>>
>> The difference is that my rules are for internet traffic, I don't
>> have fixed destinations....
>>
>>
>
> Ok so substitute the private IP addresses and networks in the rules (
> and the interfaces) an you should be sorted. We use exactly the same
> configuration but with both public IP Addresses on one interface.
> Then if you connect from $ip_b to a public IP address not in $net_b
> you should see it routed via if_b to $gw_b. The only time I have seen
> these rules fail is when the IPSec code in the kernel transmits ESP
> packets which seem to pass though pf with some weird interfaces set or
> don't pass through pf at all. All other traffic generated on ip_a or
> ip_b will always pass to the correct ISP's router.
>
> The fact that the example rules I posted used private IP addresses is
> neither here nor there, if you make the appropriate changes to:
>
> ip_[ab]
> gw_[ab]
> net_[ab]
> if_[ab]
>
> Then the example rules should do what you want.
>
I understand that, I just don't see much difference in your rules and my
rules example... the both examples should work... but here none off then
work.....
Adding a static destination route to an external host via gw_b and ping
with int_a address, the packet exit by int_b with int_a source
address... the same behavior...
I tried your way:
pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to !
int_b:network
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to !
int_a:network
# pfctl -vv -sr
@28 pass out log on int_a route-to (int_b int_b_gw) inet from int_b_ip
to ! int_b:network
[ Evaluations: 88 Packets: 0 Bytes: 0 States:
0 ]
@29 pass out log on int_b route-to (int_a int_a_gw) inet from int_a to !
int_a:network
[ Evaluations: 80 Packets: 0 Bytes: 0 States:
0 ]
Any more hints ?!
Alexandre
More information about the freebsd-net
mailing list