[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf and Cisco route map equivalent?



On Wed, 23 Mar 2005 21:21:58 +0100 (CET), Xavier <[email protected]> wrote:
> Hi,
> 
> Just one question... Maybe stupid, pardon me!
> Can I define sort of "route maps" such as
> in Cisco devices with pf?
> 
> Ex: if source address = x.x.x.x -> send to next hop "y.y.y.y"
> 
YUP !!!
You can use the "route-to" option in PF.
I will post a portion of working example from my firewall below,
explanation is also given below.
# Gateway IP of the DSL Internet connection (next hop)
#
dsl_gw = "ip.ip.ip.ip"
#
# Pass and Route all Packets from the LAN with source IP mentioned 
#in the <dslusers> table
# through the DSL connection
#
pass in quick on $int_if route-to ( $ext_ifdsl $dsl_gw ) \
        from <dslusers> to any keep state
#
#Pass all packets from LAN to Internet
#
pass in on $int_if from $int_if:network to any keep state
#
#
EXPLANATION
----------------------
The firewall is connected to 
1)  LAN switch through $int_if
2) cable internet connection through $ext_ifcm
3) DSL connection through $ext_ifdsl
The default route of the firewall (/etc/mygate) is the Gateway (next
hop) for the cable internet connection.
So when packets arrive on the $int_if, it goes through the filter
rules and if a Packet has the source address that belongs to the
<dslusers> table then it matches the rule
pass in quick on $int_if route-to ( $ext_ifdsl $dsl_gw ) \
        from <dslusers> to any keep state
since the above rule has the quick word in it no further processing is
done. and since the rule has the route-to option in it the Firewall's
routing table is bypassed ( not consulted at all ) but the route
specified in the rule ( $dsl_gw) is followed and the packet is sent to
the interface $ext_if dsl.
Now when a packet from the LAN arrives on the $int_if which has the
source address that does not belong to the <dslusers> table it goes
through the filtering rules and matches the rule
pass in on $int_if from $int_if:network to any keep state
so for these packets the Firewall's routing table is consulted and
routed acordingly ( In this case the "/etc/mygate" file contains the
Gateway address (next hop) for the cable internet connection so it
goes out through that connection through $ext_ifcm.
hope its clear :))
--Siju