* Uwe Werler <[email protected]> [2009-05-07 16:43]: > Hello list, > > I have an OpenBSD box with 4.5 connected to two carriers, to one per dhcp and > to the other static configured. > Now I tried to change my rule set from route-to/reply-to syntax to rtable > usage. > > Up to now I added my static configured gateway with "route add default $GW > -mpath" so the dhclient-script > does only add an additional default route. > > The following rule worked: > > $ext1 = static configured as for $ext1_gw > > pass in on $ext1 reply-to ($ext1 $ext1_gw) inet proto tcp to ($ext1) port ssh > flags S/SA keep state \ > (max-src-conn-rate 3/30,overload <ssh-bruteforce> flush global, pflow) > > Now I moved the static gateway to routing table 1 with "route -T 1 add > default $GW" and changed my > rule to: > > pass in on $ext1 inet proto tcp to ($ext1) port ssh flags S/SA keep state \ > (max-src-conn-rate 3/30,overload <ssh-bruteforce> flush global, > pflow) rtable 1 > > But as soon as I make a "dhclient $ext2" I can't logon via SSH to the static > configured address so I > guess the reply packets are not routed via rtable 1. > > What I'm missing or what I've disunderstood?
that scenario doesn't work. rtable influences route lookup. before it happens. so it must be set inbound - it is too late outbound. your return traffic originates at the host itself - pf outbound, too late. I haven't come up with an alegent solution yet. not sure there is one. -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
