Tracing packets passing through PF
Tom Judge
tom at tomjudge.com
Fri Mar 2 12:41:55 UTC 2007
Greg Hennessy wrote:
>> I actually need to see how a packet that the IPSEC code generates is
>> passes through PF (What rules it is (not) matching etc). At the moment
>> it seems that it is either a) not passing through pf at all, b) For
>> some
>> reason not matching the source routing rule.
>>
>> Is there anyway to see this, possibly by setting debuging to loud
>> (pfctl
>> -x loud) ?
>
> Are you filtering on the loopback by any chance ? Or have you set skip on
> lo0 ?
>
>
>
> Greg
>
>
I have the following rules on lo0:
pass in quick on lo0 inet from 127.0.0.1 to 127.0.0.1 label "RULE 2
-- ACCEPT "
pass out quick on lo0 inet from 127.0.0.1 to 127.0.0.1 label "RULE 2
-- ACCEPT "
However the ESP packet generated by the IPSEC code still makes it out
onto the network but fails to hit the source route rules:
pass out quick on bge1 route-to ( bge1 xxx.xxx.xxx.161 ) inet from
xxx.xxx.xxx.169 to ! xxx.xxx.xxx.160/27 keep state label "RULE 18 -- "
pass out quick on bge1 route-to ( bge1 yyy.yyy.yyy.65 ) inet from
yyy.yyy.yyy.79 to ! yyy.yyy.yyy.64/27 keep state label "RULE 19 -- "
Tom
More information about the freebsd-pf
mailing list