Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Hi List,
I´m doing a firewall setup using 6-STABLE + PF with two
internet links but I can't do the route-to rule function as I
need.
(default gw) ______
Link A <-----------> |int A |
| |
Link B <-----------> |int B |
|______|
FreeBSD FW
A simple thing that I need to do is test the two Internet
links to know if they are up or not. To do this I could ping
or connect tcp ports on some external ips thought each link,
using nc and hping I tried do this generate
connections/packets from each network interface connected to
each link but the packets always go out by the interface
indicated by machines default route.
I tried to add this rules in pf to force packets out by the
right interface based in your source address, but this does
not work, and the packets generated with ip of int B are
going out by int A.
pass out log on $int_a route-to ( $int_b $int_b_gw ) from
$int_b to any
pass out log on $int_b route-to ( $int_a $int_a_gw ) from
$int_a to any
<SNIP/>
I understand that, I just don't see much difference in your rules and
my rules example... the both examples should work... but here none
off then work.....
Adding a static destination route to an external host via gw_b and
ping with int_a address, the packet exit by int_b with int_a source
address... the same behavior...
I tried your way:
pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to !
int_b:network
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to !
int_a:network
# pfctl -vv -sr
@28 pass out log on int_a route-to (int_b int_b_gw) inet from
int_b_ip to ! int_b:network
[ Evaluations: 88 Packets: 0 Bytes: 0
States: 0 ]
@29 pass out log on int_b route-to (int_a int_a_gw) inet from int_a
to ! int_a:network
[ Evaluations: 80 Packets: 0 Bytes: 0
States: 0 ]
Any more hints ?!
Han Hwei Woo wrote:
> Just to be certain, are you aware that for PF, the last matching
rule is
> applied? Also, you can use the command:
> # pfctl -vv -sr
> to examine how your rules are being matched.
Try the following which forces the first rule the packet matches
(marked with quick) to be the final rule used to process the packet:
pass out quick log on $int_a route-to ( $int_b $int_b_gw ) from $int_b
to ! int_b:network
pass out quick log on $int_b route-to ( $int_a $int_a_gw ) from $int_a
to ! int_a:network
I added an keep state at end of each rule and now all works ! I will do
more tests and report any problem...
Thanks in advance !!!
Alexandre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
