Berk D. Demir wrote: > Giancarlo Razzolini <[EMAIL PROTECTED]> wrote: >> Hi all, >> [.. cut ..] >> Then, when i putted the sticky-address in the main firewall, strange >> things happened. The source-tracking states were created, but the >> machines, sometimes, were directed to the other link, not the one in the >> source-track. For example, when pinging an external address from an >> internal machine, the initial source track directed it to one of the >> links. The packets went right. Then, if i stopped the ping, and tried it >> again, the packets were directed to the other link. I confirmed this >> with tcpdump in the firewall's interfaces. >> [.. cut ..] > > Did you try to read the man page pf.conf(5)? > > I'm pasting the related paragraph below. > > Additionally, the sticky-address option can be specified to help ensure > that multiple connections from the same source are mapped to the same > redirection address. This option can be used with the random and > round-robin pool options. Note that by default these associations are > destroyed as soon as there are no longer states which refer to them; in > order to make the mappings last beyond the lifetime of the states, > increase the global options with set timeout source-track > See STATEFUL TRACKING OPTIONS for more ways to control the source > tracking. > > So setting "src.track" timeout to sane values (say 320 or 640 seconds) > will make things work as expected. > > Reading man pages from head-to-toe will sharpen your skills and decrease > your mail traffic. > > bdd > Then you might tell me why, even with a source track entry set directing traffic from one internal ip to one specific gateway, the packets sometimes are redirected to the other gateway?
And something very weird happened in my test firewall. I putted 3 machines behind it, and one of them, with a source track of more than one hour, suddenly started to get it's packets redirected to the other gateway, and lost it's internet connectivity. I had to do a pfctl -k to kill the source track entry of the machine. I'll try to play with this timeout, and i read the man page. But nor the FAQ, nor the man page said that you must set the src.track timeout. That was the reason why i didn't messed with it. Anyway, thanks for the fast reply. Will tell if it works. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
