iH,
Playing around with FIBs and jails.
The host system is on a private 172.xxx network with a gateway of 172.xxx
going through a NAT box for internet. [fib 0]
The jail has only a public IP, on fib 1 [with gateway being ISP router]
With this, the jail is working fine.
What I'm trying to accomplish is portknocking for 'ssh' access:
pass in log quick proto tcp from any to any port {1234} synproxy state \
(max-src-conn-rate 5/15, overload <portknock_ssh>)
Because the jail is on 'fib 1', the connection is never established to
overload the rule. The 'synproxy state' is communicating via the
172.xxxx/default gateway [of fib 0] instead of via the public "fib 1"
I can ssh into the jail if I do
pass in log quick proto tcp from any to any port {22} keep state
I CANNOT ssh into the jail if I do
pass in log quick proto tcp from any to any port {22} synproxy state
Anyway I can force 'synproxy' to communicate via fib 1 ?
]Peter[
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
