Re: sshguard fails to start

[Patrick Welche <prlw1%cam.ac.uk@localhost>]

On Fri, May 25, 2018 at 10:40:14AM -0400, Greg Troxel wrote:
> 
> Patrick Welche <prlw1%cam.ac.uk@localhost> writes:
> 
> > Maybe this use-case is "don't do that". Essentially: take an "internal"
> > computer, with its default gateway. Add another network card. Connect
> > it directly to "outside", and say run a webserver on it. If you run
> > ipf saying block everything on the external card except to port http
> > keep state, anyone can successfully connect to your webserver, but
> > not to your sshd. If you try the same with npf, the reply from the
> > server will be routed via the default gateway, and the 3rd packet,
> > i.e., the second from the web client, will be blocked as not matching
> > the connection state. (I was confused for ages in PR 53199)
> > ("outside" has its own gateway.)
> 
> Asymmetric routing and firewalls is tricky business, and requires
> cooperating firewalls to synchronize state.
> 
> So if you want to send replies via not the default gateway, then you
> need explicit support for routing them contrary to routing.  I suspect
> npf can do this, but that it needs to be explicitly configured.

Any idea how? (bpf rules rather than npf syntax?)

Cheers,

Patrick