2008/1/20, Jussi Peltola <[EMAIL PROTECTED]>:
> On Sun, Jan 20, 2008 at 07:13:02AM +0200, Jussi Peltola wrote:
> > On Sun, Jan 20, 2008 at 03:48:16PM +1100, Sunnz wrote:
> >
> > > pass out on pppoe1 route-to (pppoe0 pppoe0:peer) \
> > > from any to pppoe0
> > I don't think that will work. Anyone trying to reach pppoe0 will not get
> > routed out on pppoe1.
> Hmm, actually that rule is almost correct, and I ended up getting confused...
>
> What you probably mean is:
> pass out on pppoe1 route-to (pppoe0 pppoe0:peer) from pppoe0 to any
> ^^^^^^^^
Hey, I have tried the following:
reply-to:
1)
pass in on pppoe0 reply-to pppoe0 from any to pppoe0
It just works, both traceroute, ping, and ssh
route-to
2)
pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any
3)
pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any
pass out on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from pppoe1:0 to any
4)
pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any
pass out on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from pppoe1:0 to any
pass in on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from any to pppoe0:0
pass in on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from any to pppoe1:0
2) 3) and 4) works with traceroute and ping from the outside, but not ssh.
So, do I need to use some kind of packet management with tag to get
route-to to work? Or would using reply-to suffice?
What I am worried about is this section from pf.conf(5):
reply-to
The reply-to option is similar to route-to, but routes packets that
pass in the opposite direction (replies) to the specified inter-
face. Opposite direction is only defined in the context of a state
entry, and reply-to is useful only in rules that create state. It
can be used on systems with multiple external connections to route
all outgoing packets of a connection through the interface the in-
coming connection arrived through (symmetric routing enforcement).
"Opposite direction is only defined in the context of a state entry,
and reply-to is useful only in rules that create state." - as far as I
know of, only TCP connections has states, but not UDP... so what I am
worried about is that reply-to does not work with UDP connections? I
don't have a UDP service to test this out now, but I probably will
have some UDP service in the future.
--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
