OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Checking Routes/Gateways For Good Connection

From: Bret S. Lambert (bret.lambertgmail.com)
Date: Sat Aug 28 2010 - 23:35:26 CDT


On Sat, Aug 28, 2010 at 09:50:30PM -0500, dontek wrote:
> This is even more strange to me. If I change rule 39 and 40 by taking out
> the "on" interface to the following:
>
> PF Rules: (rule number prepended, these are the _last_ 6 lines in my
> pf.conf)
>
> 39: pass out quick log from 172.16.0.1 route-to (em0 192.168.0.1)
> 40: pass out quick log from 172.16.1.1 route-to (em1 10.10.0.1)
> 41:pass out log on em0 42:pass out log on em1
> 43:pass out log on em0 from em1 route-to (em1 10.10.0.1) 44:pass out log on
> em1 from em0 route-to (em0 192.168.0.1)
>
>
> Tests:
>
> $ traceroute -s 172.16.0.1 -n google.com
>
>
> Tcpdump pflog0 output:
>
> Aug 28 21:41:11.215660 rule 40/(match) pass out on em0: 172.16. 1.1.63306 >
> 74.125.45.147.33449: udp 12
> Aug 28 21:41:11.225656 rule 39/(match) pass out on em1: 172.16.0.1.48096 >
> 74.125.45.147.33449: udp 12
>
>
> Now these packets are being caught by my rule 39 and 40, but it appears the
> route-to is just being ignored. Am I reading the tcpdump output wrong? I
> just don't get it..?
>

from pf.conf:

                                                       When a route-to rule
           creates state, only packets that pass in the same direction as the
           filter rule specifies will be routed in this way. Packets passing
           in the opposite direction (replies) are not affected and are routed
           normally.