freebsd 7.1 pf route-to connection stall

Mon Mar 2 09:17:46 PST 2009

Tom Uffner пишет:
> Zinevich Denis wrote:
>> "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not 
>> work. But anyway question is not in syntax of rules, because nobody 
>> touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3
>>
>> Network is quite simple.
>> Server has 2 cards bce0 and bce1
>> bce0 - 172.20.51.10
>> bce1 - 172.20.1.130
>> default gw - 172.20.1.1
>> networks are /24
>>
>> As i described before qoal of my rule is to ignore default route when 
>> request comes on 172.20.51.10.
>> Without such rule reply will go to 172.20.1.1 and with pf rule it 
>> will go out to 172.20.51.1 via bce0.
>> For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from 
>> 172.20.51.10 to any
>>
>>> Link wrote:
>>>> My full configuration is:
>>>>
>>>> if_bce0="bce0"
>>>> if_bce0_gw="172.20.51.1"
>>>> if_bce1="bce1"
>>>>
>>>> scrub in all
>>>>
>>>> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 
>>>> to any no state flags any
>
> I apologize for misunderstanding the part of your reply about FreeBSD 7.1
> patchlevels. I realized my error too late after i had sent the message.
>
> The simplest way to do what you want doesn't involve a firewall at all.
> simply configure the devices on the 172.20.51/24 network with the 
> following
> routes:
>
> Destination Gateway
> default 172.20.51.1
> 172.20.1/24 172.20.51.10
>
> if this is not possible for some reason and you must bounce them through
> the firewall, i think the rules you want are:
>
> pass in quick on $if_bce0 from any to { 172.20.51.10 172.20.1/24 }
> pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) \
> from $if_bce0:network to any
>
> according to my understanding of pf syntax, it was probably a bug that
> your ruleset ever worked. "... from $if_bce0 ..." should have matched
> only packets from the local server w/ source addresses of 172.20.51.10.
>
> just adding :network to the $if_bce0 in the from clause in your rule
> should make it do what you want, but is quite inefficient. you are 
> checking
> every outbound packet on bce1 after all of the normal processing & 
> routing
> has been done, rewriting the ones that arrived on bce0 and sending them
> back through the network subsystem again.
>
> it would be better to check the in-bound packets on bce0, accept the ones
> destined for the local host or the 172.20.1/24 network, and re-route the
> ones that would use the default gw.
>
> tom
>
Thanks for your reply.
Tried rules you`ve listed.
Does not help....
I`ve checked with tcpdump packets are still going out using default route.