> I've the same situation here and we use route-to to route everything > from ISP1's network to their gateway and vice-versa. > > route-to re-routes a packet from 1.0.0.0/24 when it's trying to leave > through the ISP2 interface and everything then gets NAT'ed properly. > > pass out on $ext_isp2_if route-to ($ext_isp1_if $ext_isp1_gw) from > $isp1_net to any > It does not help. Actually, it looks like pf does not have control over outgoing packets produced by pf itself. I can not neither block nor reroute these packets. I checked this very easily - I created a rule
block out log quick from SOME_OUTSIDE_HOST/32 to any block out log quick from any to SOME_OUTSIDE_HOST/32 and made it very first rules of the firewall. Needless to say, when I tried to telnet to router port 9999 from SOME_OUTSIDE_HOST, tcpdump on the pflog0 device got incoming SYN but did not show RST. From the other hand, tcpdump on the default gateway interface shown outgoing RST. Again, from this I conclude that pf-generated packets (RST/ICMP) are not subject for ruleset processing. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
