problem with packet filter

Wed, 04 Jan 2006 13:44:43 -0800

Hello I have two openbsd 3.8 boxes with packet filter, carp interfaces an pfsync like this: 


LAN                                  


                   ----------------------------------
                   |                                |
                   |                                |
                   | hme3                           |

   ----- hme1 [ OpenBSD0 ] hme0 ---  internet       |  internet
   |          hme2 |              |    gw1          |     gw2
----|               |              |-------          |--------
   |               |              |                 |
   |               | hme2         |                 |
   ----- hme1 [ OpenBSD1 ] hme0 ---                 |
                   |                                |
                   | hme3                           |
                   |                                |
                   ----------------------------------


                                      
I do not use round robin to load balance because the machenes on the LAN 
will never create a conections... only will response for internet requests
I want that each box dont have a default gateway because it will be 
depend of the interface that the packet come from will be returned it. 
And work fine



But I need to conect to anywhere from an specific public host and only 
for internet gw1 (hme0) and do not work, so I have created this rule in 
each box ($proxy is an macro with a public ip address and $gateway is 
the ip address of my gateway ):


pass in   quick on hme0 from $proxy to any tag PROXY keep state
pass out quick  reply-to ( hme0 $gateway ) keep state tagged PROXY


For example if a want to connect to ssh port from $ proxy to any hme0 
interface, I can not .... this is my tcpdump output:


# tcpdump -n -e -ttt -i hme0 host 200.13.161.68
tcpdump: listening on hme0, link-type EN10MB

Jan 04 11:37:41.242856 0:6:2a:96:f0:a9 0:3:ba:39:70:46 0800 62: 
$proxy.56791 > $hme0ip.22: S 2158877508:2158877508(0) win 65535 <mss 
1460,nop,nop,sackOK> (DF)
Jan 04 11:37:41.243131 0:6:2a:96:f0:a9 0:3:ba:39:70:46 0800 62: 
$proxy.56791 > $hme0ip.22: S 2158877508:2158877508(0) win 65535 <mss 
1460,nop,nop,sackOK> (DF)
Jan 04 11:37:41.243187 0:3:ba:39:70:46 0:6:2a:96:f0:a9 0800 62: 
$proxy.56791 > $hme0ip.22: S 2158877508:2158877508(0) win 65535 <mss 
1460,nop,nop,sackOK> (DF)
Jan 04 11:37:41.243299 0:6:2a:96:f0:a9 0:3:ba:39:70:46 0800 62: 
$proxy.56791 > $hme0ip.22: S 2158877508:2158877508(0) win 65535 <mss 
1460,nop,nop,sackOK> (DF)
Jan 04 11:37:41.243321 0:3:ba:39:70:46 0:6:2a:96:f0:a9 0800 62: 
$proxy.56791 > $hme0ip.22: S 2158877508:2158877508(0) win 65535 <mss 
1460,nop,nop,sackOK> (DF)



Look... the packet come from the proxy ip address but the ip address of 
my hme0 interface never reply this request. The log of my packet filter 
show me nothing about drop or reject the response packet from hme0 ip 
address.


Any suggestions .... I will apreciate so much :)

Thanks in advance

Mario























					Reply via email to