On 06/08/2010 04:24 PM, Jussi Peltola wrote:
reply-to
Well, I guess I don't know how to use it or interprete the information
stored in the state. I added the reply-to to rule 50 only (below).
Packet comes in on em1, reply should be routed to em1, but it is
still blocked on em0.
tcpdump:
Jun 08 20:46:38.422169 rule 50/(match) pass in on em1:
193.234.218.146.58216 > 88.192.133.155.22: S 3802005102:3802005102(0)
win 32768 <mss 1460,nop,wscale 3,sackOK,nop,nop,[|tcp]> (DF)
Jun 08 20:46:38.422407 rule 13/(match) block out on em0: 10.0.0.10.22 >
193.234.218.146.58216: S 3545670227:3545670227(0) ack 3802005103 win
5792 <mss 1460,sackOK,timestamp 167012[|tcp]> (DF)
rules:
r...@fw:~$ pfctl -vvsr | grep @50
@50 pass in log (all) quick on em1 inet proto tcp from any to 10.0.0.10
port = ssh flags S/SA keep state (if-bound) reply-to <gw_em1:1>@em1
round-robin
r...@fw:~$ pfctl -vvsr | grep @13
@13 block return log all
state:
em1 tcp 10.0.0.10:22 (88.192.133.155:22) <- 193.234.218.146:57937
CLOSED:SYN_SENT
[0 + 1] [3711588966 + 2]
age 00:00:04, expires in 00:01:56, 1:0 pkts, 64:0 bytes, rule 50
id: 4c0be680000336d7 creatorid: 76fab024
-Teemu
