6.2-STABLE: enc0 sees only outgoing packets in pf
Andre Albsmeier
Andre.Albsmeier at siemens.com
Mon Mar 26 07:11:18 UTC 2007
On Mon, 26-Mar-2007 at 02:58:20 +0200, Volker wrote:
> Andrew, Andre & all,
>
> I've checked it out once more (with a corrected setup) and now have
> been able to block traffic on enc0 in both directions (no matter if
> the tunnel endpoint is final destination or not).
Does that mean that a rule
block in log quick on enc0
on top of all rules actually blocks anything (assuming you don't
have another state-keeping outgoing rule for enc0)?
-Andre
>
> Sorry for my first false posting.
>
> In this test case both machines (tunnel endpoints) are:
>
> FreeBSD ... 6.2-RELEASE-p1 FreeBSD 6.2-RELEASE-p1 #0: Sun Feb 11
> 22:35:18 CET 2007 root at ...:/usr/obj/usr/src/sys/GwMbg i386
>
> One machine is using racoon (ipsec-tools), the other is using racoon2.
>
> `ifconfig enc0':
> enc0: flags=41<UP,RUNNING> mtu 1536
>
> relevant kernconf parts:
> options FAST_IPSEC
> device random
> device enc
> device crypto
>
> Andre:
>
> If you still have trouble getting IPSec + enc0 + pf to work, please
> post me a private message. I know it's hard to find someone who has
> a working IPSec setup and is willing to help.
>
> At least my test setup shows it is not just possible to block
> traffic on device enc0 using pf, but to see all traffic in the pf
> logs (if being configured to do so).
>
> Probably you're willing to show us your pf rules to have a look at it?
>
> Have pfun! ;)
>
> Volker
--
Jeder Projektmanager, der glaubt, Projekte zu managen, der
glaubt auch, dass Zitronenfalter Zitronen falten.
More information about the freebsd-pf
mailing list