Firewall using OpenBSD 3.8, 2 WAN, 1 LAN
I am experiencing a problem with my configuration of pf as regards the
choice of WAN ports to route an outgoing packet. Can someone help
please ?
The scenario comes up when ext_if1 is the default gateway in the
routing tables, but I am trying to use a rule to force a packet from a
machine on the LAN to route through ext_if2. In some cases, the packet
gets routed to ext_if1 and then dropped. I can't figure out why, and
this seems like a very easy case to get right. I have this rule:
pass in quick on $int_if \
route-to ($ext_if2 $ext_gw2) \
inet proto tcp from 192.168.1.120 to any flags S/SA \
keep state (floating) \
label "xxx"
If I go to 192.168.1.120 and try to connect to an offsite computer,
some packets (not all) are dropped and show up on pflog0 as so:
/etc >> tcpdump -e -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
19:13:50.464705 rule 3/(match) block out on fxp0: <src>.63198 >
<dest>.45870: [|tcp] (DF)
19:13:53.457378 rule 3/(match) block out on fxp0: <src>.53544 >
<dest>.45870: [|tcp] (DF)
19:13:53.486403 rule 3/(match) block out on fxp0: <src>.54951 >
<dest>.45870: [|tcp] (DF)
19:13:59.457679 rule 3/(match) block out on fxp0: <src>.57831 >
<dest>.45870: [|tcp] (DF)
19:13:59.611530 rule 3/(match) block out on fxp0: <src>.56602 >
<dest>.45870: [|tcp] (DF)
where rule 3 is "block drop out log on fxp0 all". (fxp0 == ext_if1).
If I look at the stats for that rule before and after attempting to
connect, I see that the connection has resulted in matching packets and
bytes but state = 0. How it can match without creating state, I don't
know!
Any helpful pointers would be much appreciated.
George
--
