[PF] Symmetric routing enforcement, how-to without using "reply-to"...
Takahiro Kurosawa
takahiro.kurosawa at gmail.com
Fri Apr 7 01:40:36 UTC 2017
2017-04-05 20:20 GMT+09:00 Nils Beyer <nbe at renzel.net>:
> That's my "pf.conf"
> ------------------------------------------------------------------------------
> scrub in all
>
> block in log
> pass in inet proto icmp
> pass in inet proto tcp to port { ssh }
> pass on lo0
>
> pass out
> pass out on wan1 route-to (wan2 9.0.0.254) from wan2
> pass out on wan2 route-to (wan1 8.0.0.254) from wan1
> ------------------------------------------------------------------------------
What if you change the line:
> pass in inet proto tcp to port { ssh }
to:
pass in inet proto tcp to port { ssh } no state
Without "no state", the incoming ssh packet generates a pf state entry,
then the response packets are probably passed by the state instead of
using "route-to" rules.
More information about the freebsd-net
mailing list