> On Jun 1, 2021, at 16:50, Stuart Henderson <[email protected]> wrote:
>
> On 2021-05-30, Dave Anderson <[email protected]> wrote:
>> I’m setting up on 6.9-release a (for now) IPv4-only firewall with multiple
>> public addresses and multiple subnets behind it, and have a couple of
>> questions related to connections originating from the firewall itself to
>> which I haven’t found definitive answers.
>>
>> When not overridden (for example, by ‘ftp-proxy -a <adr>’) which of the
>> public addresses will be chosen as the source address for connections to the
>> Internet originating on the firewall? It would make sense to me for the one
>> address not declared as an alias to always be chosen, but I haven’t found
>> anything that states this to be true. I want to (for example) keep traffic
>> from systems I control separate from that from the WiFi subnet (which I’ll
>> NAT to a different public address).
>
> The interface address associated with the route used to reach the
> destination. See "if address" in "route -n get $IP".
>
>> I plan to use tags to control policy, initially tagging each new connection
>> based mostly (but not entirely) on which interface it arrives through. But,
>> unless I’m missing something, connections originating on the firewall can’t
>> be tagged this way since they don’t arrive through any interface. Which also
>> seems to mean that all policy decisions must be made outbound, since that’s
>> the only time that connections originating on the firewall will pass through
>> an interface. And I haven’t found any way of filtering on untagged
>> connections (something like ‘! tagged any’ would be nice). I’m sure that my
>> setup isn’t unique, so there must be a good way of dealing with this, but
>> I’ve no idea what it might be. Suggestions, please!
>
> You might find "!received-on any" useful to allow a rule to match only
> locally originated connections. I guess you could do something like
> "match !received-on any tag local" if you want to attach a tag to those.
I should have noticed that; evidently I was too fixated on tags. Once I’ve
identified the local connections I can NAT them to the address I want, so which
source address is used by default doesn’t matter. Thanks!
