Override route-to for hidden firewall host outbound rules?



  • 2.1-RC0 (amd64)
    built on Thu Jul 18 23:31:28 EDT 2013
    FreeBSD 8.3-RELEASE-p8

    I want to override the hidden rules below with a floating rule(s).  Note that 1.1.1.42, 45, and 46 are the external firewall IP, WAN carp, and an ip alias.  Ideally there would be an option to keep the route-to from appearing in the rules at all but that is not an option available it seems.

    I am not 100% clear on how rules I create in the floating section without quick or even with quick will influence the hidden rules.

    Hidden rules exchanging first three octets with 1.1.1:

    let out anything from the firewall host itself and decrypted IPsec traffic


    pass out route-to ( em0 1.1.1.41 ) from 1.1.1.43 to !1.1.1.40/29 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em0 1.1.1.41 ) from 1.1.1.42 to !1.1.1.42/29 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em0 1.1.1.41 ) from 1.1.1.45 to !1.1.1.45/29 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em0 1.1.1.41 ) from 1.1.1.46 to !1.1.1.46/29 keep state allow-opts label "let out anything from firewall host itself"

    Will the floating rules below override the route-to or will I need to include quick option... or will it not override them even with that option?

    User-defined rules follow

    anchor "userrules/*"
    pass  out  from 1.1.1.43 to !1.1.1.40/29  label "USER_RULE: Attempt disable route-to by overridding the hidden rule"
    pass  out  from 1.1.1.42 to !1.1.1.40/29  label "USER_RULE: Attempt disable route-to by overridding the hidden rule"
    pass  out  from 1.1.1.45 to !1.1.1.40/29  label "USER_RULE: Attempt disable route-to by overridding the hidden rule"
    pass  out  from 1.1.1.46 to !1.1.1.40/29  label "USER_RULE: Attempt disable route-to by overridding the hidden rule"

    The reason for wanting this in case anyone cares...
    I want ipsec traffic to be able to switch between two external IPs on a single WAN (Only 1 WAN interface).  One gateway is going to the internet.  The other is a dedicated link to a backup datacenter.  A dynamic route will switch the remote backup site subnet traffic (external IPs) to the internet if the dedicated link goes down.  I don't want to use two wan links because then NAT from LAN to WAN will become a problem for keeping current connections alive during the route switching.  I do not want the firewall to ever kill any active connections on the route changing and have disable all state killing on the firewall.

    I want outgoing traffic to just always use the routing table to determine where to send packets and not force any traffic to any specific gateway.



  • After thinking about it more I am sure the rules will over-ride the hidden rules.  I don't really need to restrict the destination though.  All traffic is allowed out from the firewall itself already in another hidden rule so why spend processing checking the destination.

    I for some reason was getting confused and thinking the most specific match will apply (the route-to would somehow be a match criteria when it is an option) when I know that is not the case.  The last rule that matches the traffic is what applies with the exception that a match action rule can add things to it (like queues) if before the pass rule.