I'm trying to use
ipfilter to route messages based on the source tcp/ip address and
source port. I have a sip proxy server listening in a specific interface
(ce1), and want to route all sip traffic back out that specific interface
(ce1). My default route is on a different interface (eri0), and I do not
want to change this.
All of my sip
traffic arrives on the correct interface, but routes out based on my routing
table (below) and not by my ipfilter rules.
pass out
quick on ce1 proto udp from 172.16.16.50/32 port 5060 >< 5061 to any keep
state
Here's my
modlist for interface ce1
dev01:root:/etc/rc2.d/> ifconfig ce1 modlist
0 arp
1 ip
2 pfil
3 ce
0 arp
1 ip
2 pfil
3 ce
Here's my net
config
dev01:root:/etc/rc2.d/> ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 5
inet 127.0.0.1 netmask ff000000
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 6
inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255
ether 0:3:ba:85:37:9
ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7 <=== sip proxy
inet 172.16.16.50 netmask fffffc00 broadcast 172.16.255.255
ether 0:3:ba:85:37:a
eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 8 <=== admin interface
inet 10.50.20.98 netmask fffffe00 broadcast 10.50.21.255
ether 0:3:ba:13:31:d7
eri1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 9
inet 192.168.2.1 netmask ffffff00 broadcast 192.168.2.255
ether 0:3:ba:13:31:d8
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 5
inet 127.0.0.1 netmask ff000000
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 6
inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255
ether 0:3:ba:85:37:9
ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7 <=== sip proxy
inet 172.16.16.50 netmask fffffc00 broadcast 172.16.255.255
ether 0:3:ba:85:37:a
eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 8 <=== admin interface
inet 10.50.20.98 netmask fffffe00 broadcast 10.50.21.255
ether 0:3:ba:13:31:d7
eri1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 9
inet 192.168.2.1 netmask ffffff00 broadcast 192.168.2.255
ether 0:3:ba:13:31:d8
My routing
table
dev01:root:/etc/rc2.d/> netstat
-nr
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.1.0 192.168.1.1 U 1 3010 ce0
192.168.2.0 192.168.2.1 U 1 5605 eri1
10.50.20.0 10.50.20.98 U 1 12734 eri0
172.16.16.0 172.16.16.50 U 1 75 ce1
224.0.0.0 10.50.20.98 U 1 0 eri0
default 10.50.20.1 UG 1 6534
127.0.0.1 127.0.0.1 UH 173968330 lo0
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.1.0 192.168.1.1 U 1 3010 ce0
192.168.2.0 192.168.2.1 U 1 5605 eri1
10.50.20.0 10.50.20.98 U 1 12734 eri0
172.16.16.0 172.16.16.50 U 1 75 ce1
224.0.0.0 10.50.20.98 U 1 0 eri0
default 10.50.20.1 UG 1 6534
127.0.0.1 127.0.0.1 UH 173968330 lo0
Here's my ipf rule
dev01:root:/etc/rc2.d/> ipfstat -on
@1 pass out quick on ce1 proto udp from 172.16.16.50/32 port 5060 >< 5061 to any keep state
@1 pass out quick on ce1 proto udp from 172.16.16.50/32 port 5060 >< 5061 to any keep state
Here's my
ipfstat
dev01:root:/etc/rc2.d/> ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 0 passed 634116 nomatch 393476 counted 0 short 0
output packets: blocked 0 passed 629220 nomatch 377366 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 240640 (out): 251854
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 1072 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 19866
Packet log flags set: (0)
none
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 0 passed 634116 nomatch 393476 counted 0 short 0
output packets: blocked 0 passed 629220 nomatch 377366 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 240640 (out): 251854
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 1072 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 19866
Packet log flags set: (0)
none
NOTE: This message, including any attachments, may include privileged, confidential and/or inside information. Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.
