FreeBSD 8: ipfw fwd and pf route-to broken?
Lytochkin Boris
lytboris at gmail.com
Mon Dec 7 21:14:41 UTC 2009
Oups, everything is OK with route-to and reply-to in pf, my bad.
config for my situation must be like this
scrub in all fragment reassemble
pass in quick reply-to (em0 10.60.128.254) inet from any to
10.60.128.0/24 flags S/SA keep state
pass in quick reply-to (em0 10.70.128.254) inet from any to
10.70.128.0/24 flags S/SA keep state
pass in quick reply-to (em0 10.71.128.254) inet from any to
10.71.128.0/24 flags S/SA keep state
pass in quick reply-to (em0 10.72.128.254) inet from any to
10.72.128.0/24 flags S/SA keep state
pass in quick all flags S/SA keep state
or incoming traffic whould create keep-state wit pass in and would not
go down to route-to rules.
or use per-interface keep states.
On Mon, Dec 7, 2009 at 10:40 PM, Max Laier <max at love2party.net> wrote:
> On Friday 04 December 2009 09:47:37 Lytochkin Boris wrote:
>> It seems that FreeBSD 8 has ipfw fwd and pf's route-to malfunctioning:
>> 1) ipfw fwd
>> a) net.inet.ip.forwarding = 0
>> Packets altered by fwd rule are silently dropped somewhere
>> between ip_output() checking forward tag and bpf (tcpdump does not
>> show these packets)
>> b) net.inet.ip.forwarding = 1
>> Packets altered by fwd rule are forwarded according to normal
>> routing table (in my case they were forwarded to default gateway), not
>> fwd statement
>>
>> 2) pf route-to
>> Both values of net.inet.ip.forwarding replicates 1b case.
>>
>> Sample configs
>>
>> 1) ipfw
>> add 60 fwd 10.60.128.254 ip from 10.60.128.0/24 to any out
>> add 65534 allow ip from any to any
>>
>> 2) pf
>> scrub in all fragment reassemble
>> pass in all flags S/SA keep state
>> pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24
>> to any flags S/SA keep state
>
> I can not reproduce this. My (cursory) test on a r197983 install suggests that
> route-to is working as it should. Your rules are a bit strange and might
> result in asymmetric states that can result in dropped tcp-sessions, but the
> basic route-to is correct. Can you share more details about your setup:
> netstat -rnfinet, pfctl -vvsr (after passing some traffic that was supposed to
> hit the route-to rule) and how exactly your default gateway and the
> alternative router are connected to your pf-box?
>
> Thanks in advance.
>
> --
> Max
>
>
More information about the freebsd-net
mailing list