[PF] Symmetric routing enforcement, how-to without using "reply-to"...

[Marek Zarychta]

On Wed, Apr 05, 2017 at 02:46:06PM +0200, Nils Beyer wrote:
> I wrote:
> > If I try
> > 
> >	ping -S 8.0.0.1 8.8.8.8
> > 
> > or
> > 
> >	ping -S 9.0.0.1 8.8.8.8
> > 
> > I always see packets only going out on the default gateway's interface.
> 
> sorry, my fault. After issuing a "pfctl -F all", these ICMP packets are
> now going through the designated interface.
> 
> The problem by externally induced responses are still there, though...
> 

With PF each IP packet can be "tricky" forwarded or replied using right "route-to" or "reply-to" rules.
Let's assume ext_if_1 is default interface and all packets originating from the host via default GW have source address of ext_if_1. ext_if_2 is a backup interface and ip_gw_2 is its GW.
Rules below should do the job for ICMP echo requests, almost any TCP service and some fine written (in the terms of code quality) UDP services:

  pass in quick on $ext_if_1 \
       inet proto icmp all \
       icmp-type 8 code 0 keep state

  pass in quick on $ext_if_2 reply-to ($ext_if_2 $ip_gw_2) \
       inet proto icmp all \
       icmp-type 8 code 0 keep state

  pass in quick on $ext_if_1 \
       inet proto {tcp, udp} \
       from any \
       to $ext_if_1 keep state

  pass in quick on $ext_if_2 \
       reply-to ($ext_if_2 $ip_gw_2) \
       inet proto {tcp, udp} \
       from any \
       to $ext_if_2 keep state


If your machine is not forwarding packets, then take a look at setfbib (1) because PF "route-to" is IMHO reserved for routing purposes only.

Best regards,

-- 
Marek Zarychta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170405/4b7a71c3/attachment.sig>