Dear Ken,
On Thu, Jan 12, 2012 at 01:05:10PM -0500, Kenneth Gober wrote:
> On Tue, Jan 10, 2012 at 1:41 PM, Dr.-Ing. Torsten Finke <
> [email protected]> wrote:
>
> > On my firewall I have TWO different internet connections. It is simple to
> > forward - for instance ssh -
> > from both connections to an internal machine. Now this machine answers and
> > the
> > firewall sends the reply back. How can I force the firewall to send the
> > reply
> > over exactly that interface the request came in? The problem is that the
> > client anywhere on the internet expects the answer from the very address it
> > had contacted. If now the reply comes from another address, it will get
> > lost.
> >
>
> I am doing this using OpenBSD 4.6, without any apparent problems, using the
> following syntax:
>
> pass in log quick on $pri inet proto tcp to ($pri) port 1194
> pass in log quick on $sec reply-to $sec inet proto tcp to ($sec) port 1194
great! I thought it to this simple.
May I ask about your routing? For this to work I consider you should have
multipath routing. You call your interfaces $pri and $sec. Are they configured
differently?
The pf.conf(5) man page says, that "reply-to is useful only in rules that
create state". Do you manage state by some other rule before?
> Unfortunately, the pf.conf syntax has changed since v4.6 and while I do
> plan to upgrade my
> own firewall to v5.0 (I've bought the CD already) I haven't yet had time to
> perform the upgrade.
> As a result, I haven't worked out what the equivalent 'modern' syntax would
> be, but you might
> be able to get some hints from what I'm using in v4.6.
Yes!
Concerning syntax I did some tests. The follwing rule is syntactically
correct (in the sense that it is accepted by pf, at least on 4.8):
pass in on $vpn_if inet proto udp from any to any port 1194 \
keep state reply-to ( $vpn_if $vpn_if:peer )
I think this can be done simpler.
Thanks a lot for your advice
Torsten
>
> -ken
--
------------------------------------------------------------------------
Dr.-Ing. Torsten Finke
[email protected]
Tel.: +49 201 / 36014-17
Ingenieurgemeinschaft IgH
Gesellschaft f|r Ingenieurleistungen mbH
Heinz-Bdcker-Str. 34
D-45356 Essen
Amtsgericht Essen HRB 11500
USt-Id.-Nr.: DE 174 626 722
Geschdftsf|hrung:
- Dr.-Ing. S. Rotthduser,
- Dr.-Ing. T. Finke,
- Dr.-Ing. W. Hagemeister
Tel.: +49 201 / 360-14-0
http://www.igh-essen.com
------------------------------------------------------------------------
