pf: multiple reply-to rules; could it be done more simple?

Fri, 03 Aug 2012 06:15:19 -0700 

Dear List, 

my network is connected to the internet by three different DSL
connections. At connection my ISP provides always the same IP addresses, so
that they are effectively configured with a fix IP address each. These
connections are managed by my external firewall. 

Outbound traffic is load balanced via round robin on the three mpath default
routes. 

Since I run several services on my system (e.g. openvpn, which is actually
served by my internal firewall), I have to ensure, that inbound traffic will
be returned to exactly that connection the request came from. This is done by
the following pf rules (openvpn handling as an example among others):

#---------------------------------------------------------------
ext_if0 = "tun0"
ext_if1 = "tun1"
ext_if2 = "tun2"
int_fw  = # my internal firewall's address
...

pass in quick on $ext_if0 proto udp from any to any port 1194 \
    rdr-to $int_fw port 1194 reply-to ( $ext_if0 $ext_if0:peer )
pass in quick on $ext_if1 proto udp from any to any port 1194 \
    rdr-to $int_fw port 1194 reply-to ( $ext_if1 $ext_if1:peer )
pass in quick on $ext_if2 proto udp from any to any port 1194 \
    rdr-to $int_fw port 1194 reply-to ( $ext_if2 $ext_if2:peer )
#---------------------------------------------------------------

May there be any trick that avoids this rule definition for each connection? I
am trying to get the rules more simple and also looking for a rule, that is
independent of the actual connection state (if one of the connections is
broken, pfctl complains about an unreacheable peer of course).

Has anyone tried somthing like this using pf anchors? 

Thank you for advice and thanks to the openbsd Team for their great work!


Torsten 



-- 
------------------------------------------------------------------------
Dr.-Ing. Torsten Finke
torsten.fi...@igh-essen.com
Tel.: +49 201 / 36014-17

Ingenieurgemeinschaft IgH
Gesellschaft für Ingenieurleistungen mbH
Heinz-Bäcker-Str. 34
D-45356 Essen

Amtsgericht Essen HRB 11500
USt-Id.-Nr.: DE 174 626 722
Geschäftsführung: 
- Dr.-Ing. T. Finke, 
- Dr.-Ing. W. Hagemeister
Tel.: +49 201 / 360-14-0
http://www.igh-essen.com

GnuPG-Key: 1024D/8F2300D8
Fingerprint: B929 7FA5 4D2E E9B6 C55C  8A0B 7DF4 86E9 8F23 00D8
------------------------------------------------------------------------

Reply via email to