Bill Meigs escreveu:
> I discovered that rules like
> pass in on $int_if route-to ($ext_if2 $ext_gw2) from any to any
> must route-to an interface and not that interface's ip address. The
> rule set will load without an error message but the route-to rule will
> not work if the ip address is specified.
>
> My first question is am I correct in this understanding. And if I am,
> shouldn't the ruleset fail to load if the route-to rule is not given
> and interface name?
>
> Thanks.
>
>
>From pf.conf man page:
route-to
The route-to option routes the packet to the specified interface
with an optional address for the next hop. When a route-to rule
creates state, only packets that pass in the same direction
as the filter rule specifies will be routed in this way.
Packets passing in the opposite direction
(replies) are not affected and are routed normally.
So, you really use an interfeace *name* and not an *ip* address with
route-to. This is why you put a next-hop with it. Then you must have an
ip address configured on the ext_if that can reach that next-hop. If
not, it simply won't work. But it isn't your ruleset that is wrong. Is
your routing table that is wrong. This is why it load without error
message, because, from pf syntax view, it's right.
My regards,
--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
