On Fri, May 25, 2018 at 10:40:14AM -0400, Greg Troxel wrote: > > Patrick Welche <pr...@cam.ac.uk> writes: > > > Maybe this use-case is "don't do that". Essentially: take an "internal" > > computer, with its default gateway. Add another network card. Connect > > it directly to "outside", and say run a webserver on it. If you run > > ipf saying block everything on the external card except to port http > > keep state, anyone can successfully connect to your webserver, but > > not to your sshd. If you try the same with npf, the reply from the > > server will be routed via the default gateway, and the 3rd packet, > > i.e., the second from the web client, will be blocked as not matching > > the connection state. (I was confused for ages in PR 53199) > > ("outside" has its own gateway.) > > Asymmetric routing and firewalls is tricky business, and requires > cooperating firewalls to synchronize state. > > So if you want to send replies via not the default gateway, then you > need explicit support for routing them contrary to routing. I suspect > npf can do this, but that it needs to be explicitly configured.
Any idea how? (bpf rules rather than npf syntax?) Cheers, Patrick