Henning Brauer wrote:
* Uwe Werler <[email protected]> [2009-05-07 16:43]:
Hello list,
I have an OpenBSD box with 4.5 connected to two carriers, to one per dhcp and
to the other static configured.
Now I tried to change my rule set from route-to/reply-to syntax to rtable usage.
Up to now I added my static configured gateway with "route add default $GW
-mpath" so the dhclient-script
does only add an additional default route.
The following rule worked:
$ext1 = static configured as for $ext1_gw
pass in on $ext1 reply-to ($ext1 $ext1_gw) inet proto tcp to ($ext1) port ssh
flags S/SA keep state \
(max-src-conn-rate 3/30,overload <ssh-bruteforce> flush global, pflow)
Now I moved the static gateway to routing table 1 with "route -T 1 add default
$GW" and changed my
rule to:
pass in on $ext1 inet proto tcp to ($ext1) port ssh flags S/SA keep state \
(max-src-conn-rate 3/30,overload <ssh-bruteforce> flush global, pflow)
rtable 1
But as soon as I make a "dhclient $ext2" I can't logon via SSH to the static
configured address so I
guess the reply packets are not routed via rtable 1.
What I'm missing or what I've disunderstood?
that scenario doesn't work. rtable influences route lookup. before it
happens. so it must be set inbound - it is too late outbound. your
return traffic originates at the host itself - pf outbound, too late.
I haven't come up with an alegent solution yet. not sure there is one.
In Linux you can add an fwmark rule to OUTPUT chain of the mangle
table of iptables and then create a routing table with ip route ...
and then a rule in the policy routing database saying that packets
marked with the fwmark from the rule in iptables should be routed
according to the specified routing table.
Seems like a nice solution to me; one can for example route the
default traffic from incoming tun-devices (openvpn) to the default
route but still route outgoing packets from the openvpn daemon
itself back to the connecting clients. (Which of course could be
anywhere in the world, thus the need for another default route
for that traffic than the traffic coming in over the tun-devices).
Just some food for thought.
