Re: IPFilter and policy routing?

[Urban Boquist <urban%boquist.net@localhost>]

>>>>> Bernd Ernesti writes:

Bernd> On Mon, Jul 14, 2008 at 12:21:09PM +0200, Urban Boquist wrote:
>> I have a machine that needs to be reachable on two public IPs
>> (connected to two different ISPs) during a transition period. So I

Bernd> Hmmm, I had such a setup in the past and at that time I used
Bernd> something like this:
Bernd>   pass out quick on fxp0 to tlp0:172.16.1.2 from 172.16.1.1/32
Bernd>   to any
Bernd> where 172.16.1.2 is the gateway on the other side of that interface.

Ah, this is confusing me. I had actually tried exactly that before but
could not get it to work. Some more experiments now and I find that
with only this single rule in ipf.conf it does work:

pass out quick on fxp0 to tlp0:172.16.1.2 from 172.16.1.1      # WORKS!

but with these two it does not work:

pass out quick on fxp0 to tlp0:172.16.1.2 from 172.16.1.1      # DOES NOT WORK
pass in quick proto tcp from any to any port = 13 keep state

on the other hand, this does work:

pass out quick on fxp0 to tlp0:172.16.1.2 from 172.16.1.1      # WORKS!
pass in quick proto tcp from any to any port = 13

so it seems that the "keep state" makes the reply packet bypass the
rule set. Not very surprising maybe now that I think of it...

But then again this makes me a little confused. I have always had
"keep state" at the end of all rules allowing access to external
services on the machine. But if it works without it then what is the
point of that?

Thanks for the reply Bernd! Now I at least have something that seems
to work the way I want, although I do not yet fully understand why... ;-)

Best regards,
     -- Urban