[Q] what is the correct way to filter by remote pf?

Zeus Panchenko Tue, 27 Jun 2017 04:52:51 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

greetings


please, advise

WHAT I HAVE:

            routerB <-> netX/16
               ^
               |
               V
clients <-> routerA <-> netX/24


WHAT I NEED:
to provide `clients <-> netX/24' traffic on the base of routerB pf rules
so, the very decission to pass or to block have to be done on routerB



HOW I THINK TO DO THAT:

=================================================================================
VARIANT I
- 
---------------------------------------------------------------------------------

- ---[ routerA pf.conf quotation start 
]-------------------------------------------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24> 
tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged 
TO_AUTH
...
- ---[ routerA pf.conf quotation end   
]-------------------------------------------

- ---[ routerB pf.conf quotation start 
]-------------------------------------------
...
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to 
<netX24> tag AUTHED
pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagged 
AUTHED
block <clients> to <netX>
...
- ---[ routerB pf.conf quotation end   
]-------------------------------------------


RESULTS: I see packets redirected to routerB, but there the packets are looping
         untill the time to live exceeded



=================================================================================
VARIANT II
- 
---------------------------------------------------------------------------------

- ---[ routerA pf.conf quotation start 
]-------------------------------------------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24> 
tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged 
TO_AUTH
...
- ---[ routerA pf.conf quotation end   
]-------------------------------------------


- ---[ routerB configuration quotation start 
]-------------------------------------

rc.conf
static_routes="netX24"
route_netX24="-net A.B.C.0/24 $routerA_ip"


pf.conf
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to 
<netX24> tag AUTHED
block <clients> to <netX24>

- ---[ routerB configuration quotation end   
]-------------------------------------


RESULTS: are same as for VARIANT I



=================================================================================
VARIANT III
- 
---------------------------------------------------------------------------------

something else ...
may it relate to pfsync somehow?


- -- 
Zeus V. Panchenko                               jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC                                       GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej
KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA=
=ZCm0
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

[Q] what is the correct way to filter by remote pf?

Reply via email to