On 1/6/07, S t i n g r a y <[EMAIL PROTECTED]> wrote:
Well few days ago i mailed a problem of mine which was that i have purchased multiple internet connections & now would like to divide spcific protocoles between them ,
yes you can :-) one way is to use the "route-to" keyword in your rules to dictate the internet connection through which those matching packets should go out. Now to specify Protocols in a rule you could use the "proto" keyword followed by the protocol name or protocol number. http://www.iana.org/assignments/protocol-numbers for example to match IPv4 TCP protocol you could use either one of the following in your rules inet proto tcp inet proto 6 For a list of all the protocol name to number mappings used by pfctl(8), see the file /etc/protocols. Now if you want to fine grain to filter protocols like http,ftp you could make use of the port number or their corresponding entry in /etc/services. for example let us take this scenario your firewall has 3 interfaces to which you have defined 3 corresponding macros in pf.conf as follows ===================== int_if="epic0" ext_if1="pcn0" ext_if2="fxp0" ======================== Let the gateway IP address of the two corresponding internet address have these corresponding macros too in your pf.conf ==================================================== #Gateway IP address of Internet connection through $ext_if1 gw_if1="xxx.yyy.zzz.qqq" #Gateway IP address of Internet connection through $ext_if2 gw_if2="aaa.bbb.ccc.ddd" ===================================================== Now the rule for sending all UDP packets that are DNS queries from the LAN through internet connection at $ext_if1 would look like ========================================================= pass in on $int_if route-to ($ext_if1 $gw_if1) \ inet proto udp from $int_if:network to any port 53 keep state ========================================================= Sending all packets from the LAN to webservers on the Internet through internet connection at $ext_if2 would ( using protocol numbers ) look like ============================================================ pass in on $int_if route-to ($ext_if2 $gw_if2) \ inet proto 6 from $int_if:network to any port { 80, 443 } keep state ================================================================ Sending all packets from the LAN to ssh servers on the internet through internet connection at $ext_if1 again would ( using protocol names ) would look like ==================================================================== pass in on $int_if route-to ($ext_if1 $gw_if1) \ inet proto tcp from $int_if:network to any port ssh keep state =================================================================== adding sufficient NAT rules for $ext_if would be necessarry to let these packets out if you use IPs in the RFC 1918 range. Write your own rules :-) And if you get stuck post it here. Somebody is sure to help you out. I had the same fear initially when I started usgin pf with 3.5 :-) Kind Regards Siju
