thank everyone. routing domains seem to be much more powerful than I need. I just needed outgoing packets through the appropriate interface, it can be achived by "reply-to" thing in PF.
but I'll keep an eye on rdomains for some future use. 2011/12/21 Henning Brauer <lists-open...@bsws.de>: > well that is how rdomains work, they are isolated from each other, pf > can break that isolation up. an sshd in rdomain 0 is not reachable > from another rdomain, except pf is used to allow that - or something > external routes between them. > > * Russell Garrison <russell.garri...@gmail.com> [2011-12-20 21:50]: >> I was inspired and realized you can do better with pf: >> >> pass in on em5 proto tcp to 192.168.235.12 port 22 \ >> rdr-to 192.168.163.1 rtable 0 >> >> I am not using vlan and my interfaces have IP addresses assigned. >> 235.12 above is the management IP of the host in a non-zero rdomain >> and 163.1 is the IP of the host in rdomain 0 with sshd listener >> started. May still not be the best way, but I like this better than >> starting multiple sshd. That approach had an added problem that my tty >> would start in the rdomain local to where I connected, instead of >> using 0 as the default. >> >> >> >> On Tue, Dec 20, 2011 at 3:28 PM, Russell Garrison >> <russell.garri...@gmail.com> wrote: >> > I have found that I need to add something like: >> > >> > !route -T 2 exec /usr/sbin/sshd >> > >> > To the pertinent hostname.if file to make sure sshd is listening in >> > addtional routing tables, but I do not know if this is best. >> > >> > On Mon, Dec 19, 2011 at 1:02 PM, P P;Q Q P(P8P?P8Q P8P= >> <chipits...@gmail.com> wrote: >> >> Hello. >> >> >> >> I'm running multihomed OpenBSD server: >> >> >> >> vlan5/carp5 - default >> >> vlan2/carp2 and vlan4/carp4 are connected to other ISPs. >> >> >> >> when there's no rdomain thing, everything seems to be working, except >> >> all outgoing packets goes through vlan5/carp5. >> >> >> >> >> >> so, I did >> >> >> >> f2n0:/root#cat /etc/hostname.vlan2 >> >> vlan 2 vlandev trunk0 mtu 1300 >> >> up >> >> >> >> f2n0:/root#cat /etc/hostname.carp2 >> >> vhid 62 pass m1pass carpdev vlan2 X.X.X.X/26 rdomain 2 >> >> !/sbin/route -T 2 add 0.0.0.0/0 X.X.X.Z >> >> f2n0:/root#cat /etc/hostname.vlan4 >> >> vlan 4 vlandev trunk0 mtu 1300 >> >> up >> >> >> >> f2n0:/root#cat /etc/hostname.carp4 >> >> vhid 64 pass m1pass carpdev vlan4 Y.Y.Y.Y/26 rdomain 4 >> >> !/sbin/route -T 4 add 0.0.0.0/0 Y.Y.Y.Z >> >> f2n0:/root# >> >> >> >> also, I did >> >> >> >> f2n0:/root#grep -v ^# /etc/pf.conf >> >> >> >> set skip on lo >> >> >> >> pass in vlan2 rtable 2 >> >> pass in vlan4 rtable 4 >> >> >> >> pass >> >> >> >> >> >> "ping"is working good, packets go out via appropriate interface. >> >> however, ssh ends with "tcp rst", for example. >> >> how can the reason for that "tcp rst" might be detected? >> >> >> >> am I doing anything wrong with rdomains? >> >> >> >> Ilya Shipitsin >> > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/
