Re: freebsd 7.1 pf route-to connection stall

Mon, 02 Mar 2009 09:19:19 -0800 

Tom Uffner пишет:

Zinevich Denis wrote:
"pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not work. But anyway question is not in syntax of rules, because nobody touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3 

Network is quite simple.
Server has 2 cards bce0 and bce1
bce0 - 172.20.51.10
bce1 - 172.20.1.130
default gw - 172.20.1.1
networks are /24


As i described before qoal of my rule is to ignore default route when 
request comes on 172.20.51.10.
Without such rule reply will go to 172.20.1.1 and with pf rule it 
will go out to 172.20.51.1 via bce0.
For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from 
172.20.51.10 to any



Link wrote:

My full configuration is:

if_bce0="bce0"
if_bce0_gw="172.20.51.1"
if_bce1="bce1"

scrub in all


pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 
to any no state flags any


I apologize for misunderstanding the part of your reply about FreeBSD 7.1
patchlevels. I realized my error too late after i had sent the message.

The simplest way to do what you want doesn't involve a firewall at all.

simply configure the devices on the 172.20.51/24 network with the 
following

routes:

Destination Gateway
default 172.20.51.1
172.20.1/24 172.20.51.10

if this is not possible for some reason and you must bounce them through
the firewall, i think the rules you want are:

pass in quick on $if_bce0 from any to { 172.20.51.10 172.20.1/24 }
pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) \
from $if_bce0:network to any

according to my understanding of pf syntax, it was probably a bug that
your ruleset ever worked. "... from $if_bce0 ..." should have matched
only packets from the local server w/ source addresses of 172.20.51.10.

just adding :network to the $if_bce0 in the from clause in your rule

should make it do what you want, but is quite inefficient. you are 
checking
every outbound packet on bce1 after all of the normal processing & 
routing

has been done, rewriting the ones that arrived on bce0 and sending them
back through the network subsystem again.

it would be better to check the in-bound packets on bce0, accept the ones
destined for the local host or the 172.20.1/24 network, and re-route the
ones that would use the default gw.

tom


Thanks for your reply.
Tried rules you`ve listed.
Does not help....
I`ve checked with tcpdump packets are still going out using default route.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"






















					Reply via email to