Re: redirect to an interface

----- Original Message -----
From: "Olivier Nicole" <on@cs.ait.ac.th>
To: <ipfilter@coombs.anu.edu.au>
Sent: Wednesday, July 13, 2005 9:47 PM
Subject: Re: redirect to an interface


> Thanks James,
>
>> block in quick on fxp0 to fxp1 from x.x.x.x to y.y.y.y
>
> That would only block the packet from getting out on a certain interface.

Actually it doesn't. If you make the rule "pass in quick..." then it
generates a duplicate copy of the packet, which can cause all
sorts of problems. I know it sounds backwards but it works.

From http://www.obfuscation.org/ipf/ipf-howto.txt

"If we don't care about passing the packet to its normal
destination and we were going to block it anyway, we can
just use the to keyword to push this packet past the normal
routing table and force it to go out a different interface
than it would normally go out.

block in quick on xl0 to ed0 proto tcp from any to any port < 1024

we use block quick for to interface routing, because like
fastroute, the to interface code will generate two packet
paths through ipfilter when used with pass, and likely cause
your system to panic."

So, if you use "pass in quick ..." two copies of the packet will be
generated. One will be sent to the "to" interface while the other
will be processed through the normal routing table. When used
for an interface "to" bypasses the normal routing table.
--
James A. Robbins
Network Engineer
The Ohio State University
Chemistry Department