--- Quoting NetOne - Doichin Dokov on 2007/10/26 at 21:08 +0300: > Hi all! > > I think there's a mistake in the PF FAQ, but before submitting it as a > bug, would like to make sure it's not me who is wrong, though last night > i helped a guy in #pf who had a problem with this and who did confirm i > am right. > > What I'm talking about is http://www.openbsd.org/faq/pf/pools.html#outgoing > The last two lines in the example say: > > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for > # $ext_if2 and $ext_gw2 > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any > > They are supposed to route outgoing packets from $ext_if1 / $ext_if2 IPs > to the appropriate gw, when it is not the default route (one of them is > always not). So, the right rules should be: > > pass out on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any > pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
No, this isn't right. There's no point it explicity routing to $ext_gw1 if the packet is already leaving on $ext_if1 -- it's going to be heading to that gateway anyways. The point of those two rules is to catch the scenario where you have a packet heading out on if1 with a source address from if2 and vice-versa. > There should also be a remark, in case the user uses OpenBSD 4.1 (or the > forthcoming FreeBSD 7.0 release) to add "no state" to those two rules, > as if they don't, they match only packets with flags S/SA (which are now > added by default), and, as a result, connections coming from the outside > to the local machine do not get established, as the reply packets don't > match those route-to's and are not routed. Those rules aren't meant to allow connections to the local machine at all. You'd have to allow for that with separate rules. You could add 'no state' to those rules though just because they don't need to keep state. Their only job is to push packets to the proper outgoing interface based on the packet's source address. .joel
