[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF and two interfaces



On Thu, Nov 04, 2004 at 10:47:06PM -0600, Matt Sellers wrote:
> ## PF.CONF
> # Trial Test - Route all 80 over SBC, rest to RCN
> int_if = "bge0"
> lan_net = "10.0.0.0/24"
> ext_if_sbc = "fxp0"
> ext_if_rcn = "re0"
> ext_gw_sbc = "67.36.180.95"
> 
> 
> nat on $ext_if_sbc from $lan_net to any -> ($ext_if_sbc)
> nat on $ext_if_rcn from $lan_net to any -> ($ext_if_rcn)
  this second nat line isn't ever going to be evaluated by a packet
  seen, as nat rules are first-match:
---pf.conf(5)---
     For each packet processed by the translator, the translation rules are
     evaluated in sequential order, from first to last.  The first matching
     rule decides what action is taken.
----------------.
> pass in on $int_if tag INT_NET keep state
> pass in on $int_if proto tcp to port 80 tag INT_NET_HTTP keep state
> pass in quick on $int_if tagged INT_NET_HTTP route-to $ext_if_sbc,
> $ext_gw_sbc from $lan_net to any keep$
  when i use tags, i try to keep my rule where i actually tag the
  packet be as precise as they need to be, but then later, the rule where
  i act upon those tags pretty vague.
eg
pass on $i inet6 from $ipv6_ip to !<firewall> keep state tag "ipv6ext" label "outbound"
pass on $e any tagged "ipv6ext" keep state
  that's somewhat of what i do for queueing my traffic.  think of it
  as trying to tag a packet if it matches a specific condition; but then
  later on, any packet tagged X gets acted on without any additional 
  conditions. ( looks like in your "pass quick tagged" rule, you also
  need it to match the $lan_net to any - which is just adding
  complexity it seems, in this context. )
  been a while since i used route-to; but maybe try something like:
pass in on $i inet proto tcp from $lan_net to any port 80 keep state tag INT_NET_HTTP
pass in on $i route-to $ext_if_sbc, $ext_gw_sbc all tagged INT_NET_HTTP keep state
  jared
--
[ openbsd 3.6 GENERIC ( oct 12 ) // i386 ]