Re: pf block return sends rst through wrong interface
On Fri, Sep 12, 2014 at 12:10 PM, Henning Brauer hb-open...@ml.bsws.de wrote: * Thomas Pfaff tpf...@tp76.info [2014-08-28 13:51]: I have a router with two external interfaces, ext_if1 and ext_if2, where everything gets routed through ext_if2 by default (gateway) except for a few daemons on ext_if1. pass in on $ext_if1 inet proto tcp from any to $ext_if1 \ port ssh reply-to ($ext_if1 $ext_gw1) This seems to work as expected, sending return traffic through ext_if1 rather than the default gateway. The problem is when a connection attempt is made on $ext_if1 to a blocked port (set block-policy return). RST is sent through ext_if2 rather than ext_if1, thus showing up at the destination with the wrong source address. I'm unable to find a rule that will get the router to send RST through the correct interface, so other than using block-policy drop to not send RST, is there a way to make it send through the correct interface (ext_if1 in this case)? pf-generated packets like these RSTs bypass the ruleset, thus never hit your reply-to. I'm not aware of a solution. (route-to and reply-to are stupid to begin with. Avoid at all cost.) Can you explain how you avoid this when having multiple default route ? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/ -- - () ascii ribbon campaign - against html e-mail /\
Re: pf block return sends rst through wrong interface
Hi Thomas, A possible solution to your problem might be to put ext_if1 into its own rdomain with its default route out through ext_if1. /Benno Henning Brauer(hb-open...@ml.bsws.de) on 2014.09.12 18:10:26 +0200: * Thomas Pfaff tpf...@tp76.info [2014-08-28 13:51]: I have a router with two external interfaces, ext_if1 and ext_if2, where everything gets routed through ext_if2 by default (gateway) except for a few daemons on ext_if1. pass in on $ext_if1 inet proto tcp from any to $ext_if1 \ port ssh reply-to ($ext_if1 $ext_gw1) This seems to work as expected, sending return traffic through ext_if1 rather than the default gateway. The problem is when a connection attempt is made on $ext_if1 to a blocked port (set block-policy return). RST is sent through ext_if2 rather than ext_if1, thus showing up at the destination with the wrong source address. I'm unable to find a rule that will get the router to send RST through the correct interface, so other than using block-policy drop to not send RST, is there a way to make it send through the correct interface (ext_if1 in this case)? pf-generated packets like these RSTs bypass the ruleset, thus never hit your reply-to. I'm not aware of a solution. (route-to and reply-to are stupid to begin with. Avoid at all cost.) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/ --
Re: pf block return sends rst through wrong interface
* Thomas Pfaff tpf...@tp76.info [2014-08-28 13:51]: I have a router with two external interfaces, ext_if1 and ext_if2, where everything gets routed through ext_if2 by default (gateway) except for a few daemons on ext_if1. pass in on $ext_if1 inet proto tcp from any to $ext_if1 \ port ssh reply-to ($ext_if1 $ext_gw1) This seems to work as expected, sending return traffic through ext_if1 rather than the default gateway. The problem is when a connection attempt is made on $ext_if1 to a blocked port (set block-policy return). RST is sent through ext_if2 rather than ext_if1, thus showing up at the destination with the wrong source address. I'm unable to find a rule that will get the router to send RST through the correct interface, so other than using block-policy drop to not send RST, is there a way to make it send through the correct interface (ext_if1 in this case)? pf-generated packets like these RSTs bypass the ruleset, thus never hit your reply-to. I'm not aware of a solution. (route-to and reply-to are stupid to begin with. Avoid at all cost.) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
pf block return sends rst through wrong interface
Hi. I have a router with two external interfaces, ext_if1 and ext_if2, where everything gets routed through ext_if2 by default (gateway) except for a few daemons on ext_if1. pass in on $ext_if1 inet proto tcp from any to $ext_if1 \ port ssh reply-to ($ext_if1 $ext_gw1) This seems to work as expected, sending return traffic through ext_if1 rather than the default gateway. The problem is when a connection attempt is made on $ext_if1 to a blocked port (set block-policy return). RST is sent through ext_if2 rather than ext_if1, thus showing up at the destination with the wrong source address. I'm unable to find a rule that will get the router to send RST through the correct interface, so other than using block-policy drop to not send RST, is there a way to make it send through the correct interface (ext_if1 in this case)? Cheers, Thomas.