warmspit
April 27th, 2010, 13:31
Been beating my head against the wall for a few days trying to make things work. Here is the set up.
Single host providing some services, ntp in this example. Two interfaces, bce0 and bce1. Bce0 is the default route as defined in rc.conf. NTP packets arrive correctly on bce1 but exit on bce0 and I am unable to influence them to exit via bce1 using reply-to. Any suggestions?
Includes a few broken rules wrt reply-to as experiments
pf.conf
foo_face="{bce0 bce1}"
table <rfc1918> const { 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }
tcp_services="{27}"
udp_services="{53 123}"
bad_services="{135 137 445}"
icmp_types="echoreq"
lisp_addrs="{153.16.4.130}"
set block-policy drop
set loginterface bce1
set state-policy if-bound
set limit states 50000
set ruleset-optimization basic
set skip on lo
block in
antispoof quick for { lo bce0 bce1 }
block drop in quick inet from <rfc1918> to any
block drop in quick on $foo_face proto tcp from any to any port $bad_services
block drop in quick on $foo_face proto udp from any to any port $bad_services
#pass in on bce1 tag BCE1
pass in on $foo_face proto tcp from any to $foo_face port $tcp_services
pass in on $foo_face proto udp from any to $foo_face port $udp_services
pass in inet proto icmp all icmp-type $icmp_types keep state
#pass in on $foo_face reply-to bce1 from bce1 to any
#pass in on bce1 reply-to (bce1 154.16.4.129) inet from bce1 to any
#pass in log quick reply-to (bce1 154.16.4.129) inet from bce1 to any
#pass in log quick reply-to (bce1 154.16.4.129) inet tagged BCE1
pass out keep state
pass in keep state
pf state
bce1 udp 153.16.4.130:123 <- 64.16.153.2:12 NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 64.16.153.2:12 SINGLE:NO_TRAFFIC
bce1 udp 153.16.4.130:123 <- 75.130.67.96:61256 NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 75.130.67.96:61256 SINGLE:NO_TRAFFIC
bce1 udp 153.16.4.130:123 <- 66.28.241.19:123 NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 66.28.241.19:123 SINGLE:NO_TRAFFIC
bce1 udp 153.16.4.130:123 <- 71.237.111.9:123 NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 71.237.111.9:123 SINGLE:NO_TRAFFIC
Single host providing some services, ntp in this example. Two interfaces, bce0 and bce1. Bce0 is the default route as defined in rc.conf. NTP packets arrive correctly on bce1 but exit on bce0 and I am unable to influence them to exit via bce1 using reply-to. Any suggestions?
Includes a few broken rules wrt reply-to as experiments
pf.conf
foo_face="{bce0 bce1}"
table <rfc1918> const { 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }
tcp_services="{27}"
udp_services="{53 123}"
bad_services="{135 137 445}"
icmp_types="echoreq"
lisp_addrs="{153.16.4.130}"
set block-policy drop
set loginterface bce1
set state-policy if-bound
set limit states 50000
set ruleset-optimization basic
set skip on lo
block in
antispoof quick for { lo bce0 bce1 }
block drop in quick inet from <rfc1918> to any
block drop in quick on $foo_face proto tcp from any to any port $bad_services
block drop in quick on $foo_face proto udp from any to any port $bad_services
#pass in on bce1 tag BCE1
pass in on $foo_face proto tcp from any to $foo_face port $tcp_services
pass in on $foo_face proto udp from any to $foo_face port $udp_services
pass in inet proto icmp all icmp-type $icmp_types keep state
#pass in on $foo_face reply-to bce1 from bce1 to any
#pass in on bce1 reply-to (bce1 154.16.4.129) inet from bce1 to any
#pass in log quick reply-to (bce1 154.16.4.129) inet from bce1 to any
#pass in log quick reply-to (bce1 154.16.4.129) inet tagged BCE1
pass out keep state
pass in keep state
pf state
bce1 udp 153.16.4.130:123 <- 64.16.153.2:12 NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 64.16.153.2:12 SINGLE:NO_TRAFFIC
bce1 udp 153.16.4.130:123 <- 75.130.67.96:61256 NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 75.130.67.96:61256 SINGLE:NO_TRAFFIC
bce1 udp 153.16.4.130:123 <- 66.28.241.19:123 NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 66.28.241.19:123 SINGLE:NO_TRAFFIC
bce1 udp 153.16.4.130:123 <- 71.237.111.9:123 NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 71.237.111.9:123 SINGLE:NO_TRAFFIC