On 2021-05-30, Dave Anderson <[email protected]> wrote: > I’m setting up on 6.9-release a (for now) IPv4-only firewall with multiple > public addresses and multiple subnets behind it, and have a couple of > questions related to connections originating from the firewall itself to > which I haven’t found definitive answers. > > When not overridden (for example, by ‘ftp-proxy -a <adr>’) which of the > public addresses will be chosen as the source address for connections to the > Internet originating on the firewall? It would make sense to me for the one > address not declared as an alias to always be chosen, but I haven’t found > anything that states this to be true. I want to (for example) keep traffic > from systems I control separate from that from the WiFi subnet (which I’ll > NAT to a different public address).
The interface address associated with the route used to reach the destination. See "if address" in "route -n get $IP". > I plan to use tags to control policy, initially tagging each new connection > based mostly (but not entirely) on which interface it arrives through. But, > unless I’m missing something, connections originating on the firewall can’t > be tagged this way since they don’t arrive through any interface. Which also > seems to mean that all policy decisions must be made outbound, since that’s > the only time that connections originating on the firewall will pass through > an interface. And I haven’t found any way of filtering on untagged > connections (something like ‘! tagged any’ would be nice). I’m sure that my > setup isn’t unique, so there must be a good way of dealing with this, but > I’ve no idea what it might be. Suggestions, please! You might find "!received-on any" useful to allow a rule to match only locally originated connections. I guess you could do something like "match !received-on any tag local" if you want to attach a tag to those.
