On Wed, Aug 16, 2006 at 02:04:32PM -0700, George Pontis wrote: > pass in quick on $int_if \ > route-to ($ext_if2 $ext_gw2) \ > inet proto tcp from 192.168.1.120 to any flags S/SA \ > keep state (floating) \
You seem to be assuming that a floating state created on $int_if will match packets on fxp0 (presumably $ext_if). That's simply not the case. More details can be found in http://marc.theaimsgroup.com/?l=openbsd-pf&m=114372425614238 In short, you need a "pass out on fxp0 ... keep state" rule for those connections, and you'll get TWO states per connection. Daniel ------------------- ------------------- Yes, my understanding of (floating) was incorrect and I thank you for the pointer which explained that nicely. The original problem remains, though, since I have always used pass out rules for both external interfaces: ############################################################################ ########## pass out on $ext_if1 inet proto tcp all flags S/SA keep state queue (q_def1, q_pri1) pass out on $ext_if1 inet proto { udp, icmp } all keep state queue (q_def1, q_pri1) pass out on $ext_if2 inet proto tcp all flags S/SA keep state queue (q_def2, q_pri2) pass out on $ext_if2 inet proto { udp, icmp } all keep state queue (q_def2, q_pri2) # # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for ext_if2 to ext_gw2 # pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any flags S/SA keep state pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any flags S/SA keep state ############################################################################ ########### There must be something about my understanding of how packets are routed that is at the root of the problem. I say that since the packets that are dropped are being routed out ext_if1 in contradiction to the route-to ext_if2 option. How can I express the logic in pf that will ensure that all the traffic for a specific LAN host will always route through a specific interface, no matter what is in the system routing tables ? Geo.
