From owner-freebsd-pf@FreeBSD.ORG Tue Feb 2 09:47:26 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC9271065694 for ; Tue, 2 Feb 2010 09:47:26 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.27]) by mx1.freebsd.org (Postfix) with ESMTP id A3DFB8FC19 for ; Tue, 2 Feb 2010 09:47:26 +0000 (UTC) Received: by qw-out-2122.google.com with SMTP id 8so1082403qwh.7 for ; Tue, 02 Feb 2010 01:47:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:content-type :content-transfer-encoding:subject:date:message-id:to:mime-version :x-mailer; bh=SRy8fWLQ/yMTd384YcwOV5+sTF0DhRc8GMWCCDk4ygw=; b=xEsV8Ie74ao0VYCXwAdx6/XQm9/3Q2s4V/WmgH2Ifb0YCgwdgAWsORRKaPss4K8dOZ I18h7AlDQkN9pH9/+vTLNTD+pxUR1pGqeGeXVKT06puZNpTB/Nshbd6tHPaQTWk2ysoB 8rcbFJu0ufnJ8HIVvoXsxhqEYVoLZEjkso9Ik= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; b=PPd0cYRfUSEkw+AHbr6R78p1AvpJ+QBFeTpnLtzN/EgRORzPngZWJlC8OnXQ8aGROK w0g7vAX19ox2w9zMGel6+nmVXKbzjlPCuMsiB8aoAUXtk2AzBhimAmfr48WQ5GBdwSgF XA0+tG/EGm9cIg510xS+yaU5Z3Cr/aq03LDXc= Received: by 10.224.107.77 with SMTP id a13mr2655058qap.312.1265102526145; Tue, 02 Feb 2010 01:22:06 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-70-109-58-33.clppva.fios.verizon.net [70.109.58.33]) by mx.google.com with ESMTPS id 22sm4512185qyk.10.2010.02.02.01.22.05 (version=SSLv3 cipher=RC4-MD5); Tue, 02 Feb 2010 01:22:05 -0800 (PST) From: Vadym Chepkov Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 2 Feb 2010 04:22:04 -0500 Message-Id: To: freebsd-pf@FreeBSD.org Mime-Version: 1.0 (Apple Message framework v1077) X-Mailer: Apple Mail (2.1077) Cc: Subject: pf and enc0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 09:47:27 -0000 Hi, I have stumbled on a problem and I am not sure if it's a bug or a = feature. very simple block rules # pfctl -sr | grep block=20 block return in log on bge0 all block return in quick on bge0 from to any block return out quick on bge0 from any to bge0 is my WAN interface, I have FreeBSD 6.4 I enabled IPSEC in my kernel options FAST_IPSEC options IPSEC_NAT_T device enc device crypto device cryptodev and all works fine until I do 'ifconfig enc0 up' after that traffic coming through ipsec tunnel is getting rejected and I = can see it's recorded in pflog0 I am not sure why and how to prevent this from happening. Thanks, Vadym Chepkov=