-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi list,
I'd like to use PF's route-to option to route traffic through a tunnel
(tun0) interface for certain ports only.
- From what i read here: http://www.openbsd.org/faq/pf/pools.html, here:
http://www.monkey.org/openbsd/archive/misc/0311/msg00640.html and here
http://www.benzedrine.cx/pf/msg04941.html, these rules should do the trick
:
- --[snip]--
nat on $ext_if from $lan_net to any -> $ext_if
nat on $tun_if from $lan_net to any -> $tun_if
pass in quick on $int_if route-to ($tun_if $tun_gw) \
proto tcp from $lan_net to any port 25 keep state
- --[snip]--
but they doesn't. It's like the "keep state" flag is not acting, because
when i tcpdump on a target machine :
some.lan_net.machine$ telnet target 25
target.machine# tcpdump -vv -i sis0 dst port 25
tcpdump: listening on sis0, link-type EN10MB (Ethernet), capture size 96
bytes
14:30:16.594788 IP (tos 0x10, ttl 59, id 50921, offset 0, flags [DF],
proto: TCP (6), length: 60) tunnel.interface.1635 > target.smtp:
S, cksum 0xf540 (incorrect (-> 0xca86), 4250289696:4250289696(0) win 5840
<mss 1460,sackOK,timestamp 598704329 0,nop,wscale 2>
the target is effectively reached by the good tunnelized host but the
reply nevers comes back. And yes, the tunnel works, routing by default
over it is ok.
Is there any trick i misread ?
Thanks for your time.
NB: just in case, i'm using NetBSD 3.0 PF port
- -------------------------
iMil <[EMAIL PROTECTED]> _
http://gcu-squad.org ASCII ribbon campaign ( )
- against HTML email X
& vCards / \
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
iD8DBQFDuS6FFG3BlGWyzUIRAmwqAJwO1Fn1EL5pm8YqJKKdh75oPIbARwCdFTxn
aCEv6zLwf9s07Fc05kN5bdA=
=PN2x
-----END PGP SIGNATURE-----
