[Q] what is the correct way to filter by remote pf?
Zeus Panchenko
zeus at ibs.dn.ua
Tue Jun 27 11:51:47 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
greetings
please, advise
WHAT I HAVE:
routerB <-> netX/16
^
|
V
clients <-> routerA <-> netX/24
WHAT I NEED:
to provide `clients <-> netX/24' traffic on the base of routerB pf rules
so, the very decission to pass or to block have to be done on routerB
HOW I THINK TO DO THAT:
=================================================================================
VARIANT I
- ---------------------------------------------------------------------------------
- ---[ routerA pf.conf quotation start ]-------------------------------------------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24> tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged TO_AUTH
...
- ---[ routerA pf.conf quotation end ]-------------------------------------------
- ---[ routerB pf.conf quotation start ]-------------------------------------------
...
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to <netX24> tag AUTHED
pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagged AUTHED
block <clients> to <netX>
...
- ---[ routerB pf.conf quotation end ]-------------------------------------------
RESULTS: I see packets redirected to routerB, but there the packets are looping
untill the time to live exceeded
=================================================================================
VARIANT II
- ---------------------------------------------------------------------------------
- ---[ routerA pf.conf quotation start ]-------------------------------------------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24> tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged TO_AUTH
...
- ---[ routerA pf.conf quotation end ]-------------------------------------------
- ---[ routerB configuration quotation start ]-------------------------------------
rc.conf
static_routes="netX24"
route_netX24="-net A.B.C.0/24 $routerA_ip"
pf.conf
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to <netX24> tag AUTHED
block <clients> to <netX24>
- ---[ routerB configuration quotation end ]-------------------------------------
RESULTS: are same as for VARIANT I
=================================================================================
VARIANT III
- ---------------------------------------------------------------------------------
something else ...
may it relate to pfsync somehow?
- --
Zeus V. Panchenko jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej
KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA=
=ZCm0
-----END PGP SIGNATURE-----
More information about the freebsd-pf
mailing list