On 7/14/06, Nejc Skoberne <[EMAIL PROTECTED]> wrote:
pass out on $UntrustInterface route-to ($UntrustInterface2 $NextHop2) from $UntrustInterface2 to any keep state pass out on $UntrustInterface2 route-to ($UntrustInterface $NextHop1) from $UntrustInterface to any keep state I thought this would do the following: if I ping E.F.G.H from w.x.y.z (somewhere on the Internet), the packet goes in through $UntrustInterface2, kernel crafts the ping-reply packet and sends it out to default route via the $UntrustInterface - but since there is a route-to rule, the packet should get routed to $UntrustInterface2 and $NextHop2 instead. Is this reasoning correct?
You need to use reply-to when a packet comes in on the second interface: pass in on $UntrustInterface2 reply-to ($UntrustInterface2 $NextHop2) keep state That should get you working, then apply filtering as desired.
You can find the full pf.conf here: http://nejc.skoberne.net/pf.conf
Thanks for linking your full pf.conf, as it makes answering questions a lot easier. -- Jon _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
