On Wed, 23 Mar 2005 21:21:58 +0100 (CET), Xavier [EMAIL PROTECTED] wrote:
Hi,
Just one question... Maybe stupid, pardon me!
Can I define sort of route maps such as
in Cisco devices with pf?
Ex: if source address = x.x.x.x - send to next hop y.y.y.y
YUP !!!
You can use the route-to option in PF.
I will post a portion of working example from my firewall below,
explanation is also given below.
# Gateway IP of the DSL Internet connection (next hop)
#
dsl_gw = ip.ip.ip.ip
#
# Pass and Route all Packets from the LAN with source IP mentioned
#in the dslusers table
# through the DSL connection
#
pass in quick on $int_if route-to ( $ext_ifdsl $dsl_gw ) \
from dslusers to any keep state
#
#Pass all packets from LAN to Internet
#
pass in on $int_if from $int_if:network to any keep state
#
#
EXPLANATION
--
The firewall is connected to
1) LAN switch through $int_if
2) cable internet connection through $ext_ifcm
3) DSL connection through $ext_ifdsl
The default route of the firewall (/etc/mygate) is the Gateway (next
hop) for the cable internet connection.
So when packets arrive on the $int_if, it goes through the filter
rules and if a Packet has the source address that belongs to the
dslusers table then it matches the rule
pass in quick on $int_if route-to ( $ext_ifdsl $dsl_gw ) \
from dslusers to any keep state
since the above rule has the quick word in it no further processing is
done. and since the rule has the route-to option in it the Firewall's
routing table is bypassed ( not consulted at all ) but the route
specified in the rule ( $dsl_gw) is followed and the packet is sent to
the interface $ext_if dsl.
Now when a packet from the LAN arrives on the $int_if which has the
source address that does not belong to the dslusers table it goes
through the filtering rules and matches the rule
pass in on $int_if from $int_if:network to any keep state
so for these packets the Firewall's routing table is consulted and
routed acordingly ( In this case the /etc/mygate file contains the
Gateway address (next hop) for the cable internet connection so it
goes out through that connection through $ext_ifcm.
hope its clear :))
--Siju
