On Fri, Sep 12, 2014 at 12:10 PM, Henning Brauer <hb-open...@ml.bsws.de> wrote: > * Thomas Pfaff <tpf...@tp76.info> [2014-08-28 13:51]: >> I have a router with two external interfaces, ext_if1 and ext_if2, >> where everything gets routed through ext_if2 by default (gateway) >> except for a few daemons on ext_if1. >> >> pass in on $ext_if1 inet proto tcp from any to $ext_if1 \ >> port ssh reply-to ($ext_if1 $ext_gw1) >> >> This seems to work as expected, sending return traffic through >> ext_if1 rather than the default gateway. >> >> The problem is when a connection attempt is made on $ext_if1 to >> a blocked port (set block-policy return). RST is sent through >> ext_if2 rather than ext_if1, thus showing up at the destination >> with the wrong source address. >> >> I'm unable to find a rule that will get the router to send RST >> through the correct interface, so other than using block-policy >> drop to not send RST, is there a way to make it send through >> the correct interface (ext_if1 in this case)? > > pf-generated packets like these RSTs bypass the ruleset, thus never > hit your reply-to. > > I'm not aware of a solution. > > (route-to and reply-to are stupid to begin with. Avoid at all cost.)
Can you explain how you avoid this when having multiple default route ? > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services GmbH, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/ > -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\
