Hello! I have a trunk0 interface on a router (#1) that is used for a singular purpose -- to pass (IPsec protected) traffic for an IPIP tunnel (gif0) to another router (#2). I have configured PF rules on router #1 that prevent any other type of traffic from passing on trunk0. There are several routing table entries that forward to router #2 on gif0.
My objective is to configure an additional pass rule that would allow SSH traffic destined for router #1 to pass in and out on trunk0. The problem is that the aforementioned routes on gif0 cause packets sent in reply to incoming SSH traffic to pass out on gif0 (after passing in on trunk0). This ends up getting blocked by PF on router #1 because the state-policy is set to if-bound (which is how I want it). I am trying to use reply-to to enforce symmetric routing, but it isn't working. As you will see below, my "reply-to" rule is matched, but the reply is _still_ routed to gif0: # tcpdump -nevvpi pflog0 tcp port 22 tcpdump: WARNING: snaplen raised from 116 to 224 tcpdump: listening on pflog0, link-type PFLOG 01:27:46.503040 rule 5/(match) [uid 0, pid 16018] pass in on trunk0: [uid 4294967295, pid 100000] [SSH CLIENT IP].57427 > [TRUNK0 IP].22: S [tcp sum ok] 1707770457:1707770457(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) (ttl 127, id 24244, len 52) 01:27:46.503069 rule 4/(match) [uid 0, pid 16018] block out on gif1: [uid 4294967295, pid 100000] [TRUNK0 IP].22 > [SSH CLIENT IP].57427: S [tcp sum ok] 4100262020:4100262020(0) ack 1707770458 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 3> (DF) (ttl 64, id 43497, len 52, bad ip cksum 0! -> d71b) ^C 2 packets received by filter 0 packets dropped by kernel # pfctl -sr | grep @5 @5 pass in log quick on trunk0 inet proto tcp from any to [TRUNK0 IP] port = 22 flags S/SA keep state (if-bound) reply-to <ROUTER #2 IP>@trunk0 Router #1 is running OpenBSD 6.2. Anyone have any idea why this isn't working the way I want it to? Joe