[PF] Symmetric routing enforcement, how-to without using "reply-to"...
Marek Zarychta
zarychtam at plan-b.pwste.edu.pl
Thu Apr 6 16:56:38 UTC 2017
On Thu, Apr 06, 2017 at 09:08:49AM +0200, Nils Beyer wrote:
> Marek Zarychta wrote:
> > pass in quick on $ext_if_1 \
> > [...]
> > pass in quick on $ext_if_2 reply-to ($ext_if_2 $ip_gw_2) \
> > [...]
> > pass in quick on $ext_if_1 \
> > [...]
> > pass in quick on $ext_if_2 \
>
> that's what I meant in my opening post - you have to create a rule for
> every possible gateway. It even gets more complex if your server itself
> is a gateway for other servers in your network and you have to distribute
> outgoing traffic depending on the requesting server in your network.
>
> So something simple like:
> ------------------------------------------------------------------------------
> ipfw add 60000 fwd $ip_gw_2 all from $ext_net_2 to any via $ext_if_1
> ipfw add 60001 fwd $ip_gw_1 all from $ext_net_1 to any via $ext_if_2
> ------------------------------------------------------------------------------
>
> is not possible with PF?
>
I think it will not be possible with PF since both firewalls were projected with quite different approach in mind. PF and IPFW can be still successfully run together and combined on the same machine, but it needs some investigation how the packet flow looks like in such scenarios.
Setting multiple fibs and adequate PF rules ending with "rtable fib" statements seems to be the best choice IMHO.
Best regards,
--
Marek Zarychta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170406/bbf341c6/attachment.sig>
More information about the freebsd-net
mailing list