[PF] Symmetric routing enforcement, how-to without using "reply-to"...
Nils Beyer
nbe at renzel.net
Wed Apr 5 12:29:04 UTC 2017
Slawa Olhovchenkov wrote:
> I.e. you can't build rules based on "replays", only on "origins",
> source IP address generated packes (as you ipfw fwd rules).
okay, let's ditch the word "reply". I meant it so that these packets are
generated by a software due to incoming packets.
If I try
ping -S 8.0.0.1 8.8.8.8
or
ping -S 9.0.0.1 8.8.8.8
I always see packets only going out on the default gateway's interface.
So, I refine my question to:
in what way are these PF rules:
------------------------------------------------------------------------------
pass out on wan1 route-to (wan2 9.0.0.254) from 9.0.0.1
pass out on wan2 route-to (wan1 8.0.0.254) from 8.0.0.1
------------------------------------------------------------------------------
different to these IPFW rules:
------------------------------------------------------------------------------
ipfw add 65000 fwd 9.0.0.254 all from 9.0.0.1 to any via wan1
ipfw add 65001 fwd 8.0.0.254 all from 8.0.0.1 to any via wan2
------------------------------------------------------------------------------
?
Regards,
Nils
More information about the freebsd-net
mailing list