Interesting problem, and you've basically hit it on the head. BSDs are (AFAIK) all policy-based and not route based, unfortunately, mainly for reasons jggimi has pointed out about the enc interface.
The solution, however insane it may sound, would be to setup a flow specifically for that traffic. Unfortunately that means you'd be opening your AWS side to the internet, so heavy filtering would be suggested, both in terms of your security groups and your BSD pf.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Last edited by rocket357; 30th May 2015 at 01:44 AM.
|