On 02/23/2009 05:06:51 PM, Chris Smith wrote:
However, when not routing normally, that is using route-to instead of
the routing tables default gateway, ftp for the inside clients is not
working. I'm guessing I need to use the -T argument, tag the packets
and use some route-to and/or reply-to rules to get it to all work.
======================================================
The last group of pass-out rules from the pf.conf (in case this
helps):
======================================================
pass out on $ext_if route-to ( $wow_4_if $wow_4_gw ) from $wow_4_if
pass out on $ext_if route-to ( $wow_8_if $wow_8_gw ) from $wow_8_if
pass out on $wow_4_if route-to ( $wow_8_if $wow_8_gw ) from $wow_8_gw
pass out on $wow_4_if route-to ( $ext_if $ext_gw ) from $ext_gw
pass out on $wow_8_if route-to ( $wow_4_if $wow_4_gw ) from $wow_4_gw
pass out on $wow_8_if route-to ( $ext_if $ext_gw ) from $ext_gw
======================================================
(FWIW, I'd write it like this because I think it makes
the pattern more clear.)
pass out on { $ext_if $wow_8_if } \
route-to ( $wow_4_if $wow_4_gw ) from $wow_4_gw
pass out on { $ext_if $wow_4_if } \
route-to ( $wow_8_if $wow_8_gw ) from $wow_8_gw
pass out on { $wow_4_if $wow_8_if } \
route-to ( $ext_if $ext_gw ) from $ext_gw
If you've 3 separate ftp-proxy instances, one each with
a -a for each gateway, then I'd think you could use -T
and tag with any tag and forget about writing special
rules that look for the tag.
The ftp-proxy -T should be enough to turn off the "quick" and
then your rules above would catch the outbound traffic
and do the appropriate route-to.
Dunno if it works, but that's what I'd try.
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
