PF route-to behavior

Alexandre Biancalana ale at seudns.net
Tue Mar 13 03:25:07 UTC 2007 

Tom Judge wrote:
> Alexandre Biancalana wrote:
>> Tom Judge wrote:
>>> Alexandre Biancalana wrote:
>>>> Tom Judge wrote:
>>>>> Alexandre Biancalana wrote:
>>>>>> Tom Judge wrote:
>>>>>>> Alexandre Biancalana wrote:
>>>>>>>> Tom Judge wrote:
>>>>>>>>> Alexandre Biancalana wrote:
>>>>>>>>>> Hi List,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two 
>>>>>>>>>> internet links but I can't do the route-to rule function as I 
>>>>>>>>>> need.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>          (default gw)    ______
>>>>>>>>>>  Link A <-----------> |int A  |
>>>>>>>>>>                                  |           |
>>>>>>>>>>  Link B <-----------> |int B  |
>>>>>>>>>>                                  |______|
>>>>>>>>>>                              FreeBSD FW
>>>>>>>>>>
>>>>>>>>>> A simple thing that I need to do is test the two Internet 
>>>>>>>>>> links to know if they are up or not. To do this I could ping 
>>>>>>>>>> or connect tcp ports on some external ips thought each link, 
>>>>>>>>>> using nc and hping I tried do this generate 
>>>>>>>>>> connections/packets from each network interface connected to 
>>>>>>>>>> each link but the packets always go out by the interface 
>>>>>>>>>> indicated by machines default route.
>>>>>>>>>>
>>>>>>>>>> I tried to add this rules in pf to force packets out by the 
>>>>>>>>>> right interface based in your source address, but this does 
>>>>>>>>>> not work, and the packets generated with ip of int B are 
>>>>>>>>>> going out by int A.
>>>>>>>>>>
>>>>>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from 
>>>>>>>>>> $int_b to any
>>>>>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from 
>>>>>>>>>> $int_a to any
>>>>>>>>>>
>
> <SNIP/>
>
>> I understand that, I just don't see much difference in your rules and 
>> my rules example... the both examples should work... but here none 
>> off then work.....
>>
>> Adding a static destination route to an external host via gw_b and 
>> ping with int_a address, the packet exit by int_b with int_a source 
>> address... the same behavior...
>>
>> I tried your way:
>>
>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to ! 
>> int_b:network
>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to ! 
>> int_a:network
>>
>>
>> # pfctl -vv -sr
>> @28 pass out log on int_a route-to (int_b int_b_gw) inet from 
>> int_b_ip to ! int_b:network
>>  [ Evaluations: 88        Packets: 0         Bytes: 0           
>> States: 0     ]
>> @29 pass out log on int_b route-to (int_a int_a_gw) inet from int_a 
>> to ! int_a:network
>>  [ Evaluations: 80        Packets: 0         Bytes: 0           
>> States: 0     ]
>>
>> Any more hints ?!
>
> Han Hwei Woo wrote:
> > Just to be certain, are you aware that for PF, the last matching 
> rule is
> > applied? Also, you can use the command:
> > # pfctl -vv -sr
> > to examine how your rules are being matched.
>
> Try the following which forces the first rule the packet matches 
> (marked with quick) to be the final rule used to process the packet:
>
> pass out quick log on $int_a route-to ( $int_b $int_b_gw ) from $int_b 
> to  ! int_b:network
> pass out quick log on $int_b route-to ( $int_a $int_a_gw ) from $int_a 
> to ! int_a:network

I added an keep state at end of each rule and now all works ! I will do 
more tests and report any problem...

Thanks in advance !!!

Alexandre

More information about the freebsd-net mailing list