mcmer-open...@tor.at (Marcus MERIGHI), 2015.09.07 (Mon) 19:25 (CEST): > marko.cu...@mimar.rs (Marko Cupa??), 2015.09.07 (Mon) 17:56 (CEST): > > I have OpenBSD firewall which talks BGP to 2 upstream ISPs. > > bge0 - DMZ > > em0 - ISP1 > > em1 - ISP2 > > > > 80% of Internet routes are through ISP1, including the one from my home. > > > > I can ssh to em0 from home without problems - packets are being > > returned through the same interface (em0). However, I can't ssh to em1, > > I guess because packets are being returned through the other interface > > (em0). I am not sure if packets are being blocked by PF or something > > else causes the problem. > > pf.conf(5), > reply-to > The reply-to option is similar to route-to, but routes packets that > pass in the opposite direction (replies) to the specified > interface. Opposite direction is only defined in the contextof a > state entry, and reply-to is useful only in rules that create > state. It can be used on systems with multiple external > connections to route all outgoing packets of a connection through > the interface the incoming connection arrived through (symmetric > routing enforcement).
re-reading pf.conf(5) it'd be hard for me to come up with the rule I once wrote. there are two references in faq/pf/pools.html and ./tables.html, nothing explicit. pass in on providerXY [...] keep state [...] reply-to ($providerXY_if $providerXY_gw) Bye, Marcus > !DSPAM:55edc95268157998512993!
