Project

General

Profile

Actions

Bug #1813

open

Static routes on WAN interfaces overridden by route-to for firewall-initiated traffic

Added by Chris Buechler about 10 years ago. Updated almost 5 years ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
08/22/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

the 'pass out' rules such as:

pass out route-to ( em1 9.2.2.1 ) from 9.2.3.17 to !9.2.2.0/21 keep state allow-opts label "let out anything from firewall host itself"

Break connectivity from the firewall itself to any networks reachable via a static route on a WAN for traffic initiated from the firewall itself.

For example if you add a static route in the above scenario pointing 1.0.0.0/24 to 9.2.3.20, traffic initiated from the firewall to that destination will go to 9.2.2.1, not 9.2.3.20.

Actions

Also available in: Atom PDF