Greetings,
Eygene Ryabinkin wrote:
Stefan, good day.
Thu, Mar 20, 2008 at 03:43:44PM +0200, Stefan Lambrev wrote:
But here is working example which you can improve off course.
#dual home
pass in on $ext_if1 reply-to ($ext_if1 $gw1) from any to $external_addr1
keep state
pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
pass in on $ext_if2 reply-to ($ext_if2 $gw2) from any to $external_addr2
keep state
pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
#dual home ssh only
pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
pass in on $ext_if1 reply-to ($ext_if1 $gw1) proto tcp from any to
$external_addr1 port 22 keep state
pass in on $ext_if2 reply-to ($ext_if2 $gw2) proto tcp from any to
$external_addr2 port 22 keep state
[...]
You forget that the first rule to match wins and keep state (which is on by
default in 7.0) will make replies to match the state not the pass out rules.
May be I am badly interpreting the last sentence, but in pf, the
last rule that matches (or the first rule with the 'quick' keyword)
wins. The above rules are just decoupled from each other, because
they are differing in the interface/direction. And sure, when the
state is created, the subsequent packets are not passed through the
ruleset. Am I missing something?
Yes you are absolutely right - last rule, that match will win,
and there is only one rule that will match incoming packets and will
create
state, thus preventing outgoing packets to match anything else, just
this state.
Thank you.
--
Best Wishes,
Stefan Lambrev
ICQ# 24134177
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
