On Monday, July 30, 2012 03:38:58 pm you wrote:
> On 2012-07-30, Jeff Simmons <jsimm...@goblin.punk.net> wrote:
> > Given a machine with two interfaces to the internet, is there a way to
> > enforce symmectric routing (i.e. if1 and if2 with if1 as the default
> > route, can connections to if2 be somehow routed back out if2)?
> >
> > pf's reply-to and route-to perform this quite well for packets
> > transversing a router, but I haven't found anything for connections to
> > the router itself.
>
> reply-to should work here too, I use exactly that for semi-out-of-band
> SSH access via a backup ISP and the packets flow correctly.
>
> pass in quick inet proto tcp to (pppoe1:0) port ssh keep state
> (max-src-conn-rate 5/10 overload <BADHOSTS> flush global) reply-to
> 81.187.81.187@pppoe1
Hmm ... the following doesn't work:
pass in quick on $ext_if proto tcp from any to $ext_addr port 22 \
keep state (max-src-conn 10, max-src-conn-rate 6/300, \
overload <bruteforce> flush global) \
reply-to ($ext_if $ext_gw)
With default route set to $ext2_if ssh still goes asymmetric on me (taking all
ssh access down when $ext2_if goes down, as it did for 4 hours this morning).
Interesting.
--
Jeff Simmons jsimm...@goblin.punk.net
Simmons Consulting - Network Engineering, Administration, Security
