-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
greetings
please, advise
WHAT I HAVE:
routerB <-> netX/16
^
|
V
clients <-> routerA <-> netX/24
WHAT I NEED:
to provide `clients <-> netX/24' traffic on the base of routerB pf rules
so, the very decission to pass or to block have to be done on routerB
HOW I THINK TO DO THAT:
=================================================================================
VARIANT I
-
---------------------------------------------------------------------------------
- ---[ routerA pf.conf quotation start
]-------------------------------------------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24>
tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged
TO_AUTH
...
- ---[ routerA pf.conf quotation end
]-------------------------------------------
- ---[ routerB pf.conf quotation start
]-------------------------------------------
...
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to
<netX24> tag AUTHED
pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagged
AUTHED
block <clients> to <netX>
...
- ---[ routerB pf.conf quotation end
]-------------------------------------------
RESULTS: I see packets redirected to routerB, but there the packets are looping
untill the time to live exceeded
=================================================================================
VARIANT II
-
---------------------------------------------------------------------------------
- ---[ routerA pf.conf quotation start
]-------------------------------------------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24>
tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged
TO_AUTH
...
- ---[ routerA pf.conf quotation end
]-------------------------------------------
- ---[ routerB configuration quotation start
]-------------------------------------
rc.conf
static_routes="netX24"
route_netX24="-net A.B.C.0/24 $routerA_ip"
pf.conf
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to
<netX24> tag AUTHED
block <clients> to <netX24>
- ---[ routerB configuration quotation end
]-------------------------------------
RESULTS: are same as for VARIANT I
=================================================================================
VARIANT III
-
---------------------------------------------------------------------------------
something else ...
may it relate to pfsync somehow?
- --
Zeus V. Panchenko jid:[email protected]
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej
KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA=
=ZCm0
-----END PGP SIGNATURE-----
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
