reply-to versus default route - PF/synproxy
Aristeu Gil Alves Jr
aristeu.jr at gmail.com
Mon Oct 23 13:59:45 PDT 2006
The reply-to is not working when it is used with synproxy.
The scenario is described bellow:
gw-isp1 e gw-isp2 are the IP from ISP 1 and 2 gateways:
/etc/pf.conf
------------------------------------
if_isp1="ed0"
if_isp2="ed1"
if_internal="ed2"
route1="( ed0 gw-isp1 )"
route2="( ed1 gw-isp2 )"
rdr on $if_isp1 proto tcp to port 25 -> 192.168.0.2 port 25
rdr on $if_isp2 proto tcp to port 25 -> 192.168.0.2 port 25
block in log all
pass in quick on $if_isp1 reply-to $rota1 proto tcp to 192.168.0.2
port 25 synproxy state
pass in quick on $if_isp2 reply-to $rota2 proto tcp to 192.168.0.2
port 25 synproxy state
pass out quick on $if_internal to 192.168.0.2 port 25 keep state
--------
The default route is ISP1 gateway.
--------
The problem is that even pf feeding the route, the reply packet obey
the route imposed by system default route.
Ex: Syn packet comes from ISP2 interface and goes out with ISP1,
resulting in comunication failure.
When I use keep state instead of synproxy state, the comunication goes
as expected.
--
Aristeu Gil Alves Jr
More information about the freebsd-pf
mailing list