From owner-freebsd-pf@FreeBSD.ORG Tue Feb 2 09:51:07 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4AAC1106566C for ; Tue, 2 Feb 2010 09:51:07 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f184.google.com (mail-qy0-f184.google.com [209.85.221.184]) by mx1.freebsd.org (Postfix) with ESMTP id F26CC8FC0A for ; Tue, 2 Feb 2010 09:51:06 +0000 (UTC) Received: by qyk14 with SMTP id 14so1155102qyk.9 for ; Tue, 02 Feb 2010 01:51:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=X6EjiZku1hTzv+AlthwvIpLIdh0wsD7eFiUTdzyKT2g=; b=cYNrRST3N54NPUJIeylVQw0OuS4HtuVvzi5RTiGj9apytanT/5UBBPjmnwuVKQuE3t +cWInX/zv3AgmD/dtUsZhVGbHYmHUVefUBYDhhndH+4P4fjlnjM3uNzXWxnFbvAPA8Ty hu7xIYaP6ALKUCaCE0poNv9igFhOnwXDs8VWI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=nNwiXcqTvHFqoCUU+JKT90uLMwQThUTxDdi/pzRgAdgvFVZAh5Bwn+OLDuWq/MHdxm 12fFOfKWJ3+IXLGJ2lPxxTPsw4FsSNZR1tqFpQ6qvKkWiffD5ndJ8zN6eZ1buThnb8hq PTFUluAR8nqJZihjYJI3ZNynjFeyck5rtKUQg= Received: by 10.224.113.19 with SMTP id y19mr2672956qap.323.1265104266125; Tue, 02 Feb 2010 01:51:06 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-70-109-58-33.clppva.fios.verizon.net [70.109.58.33]) by mx.google.com with ESMTPS id 21sm4503801qyk.12.2010.02.02.01.51.05 (version=SSLv3 cipher=RC4-MD5); Tue, 02 Feb 2010 01:51:05 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=iso-8859-1 From: Vadym Chepkov In-Reply-To: <1FDF0CD4-43E2-449D-9B19-648E8A3EFC8B@xgs-france.com> Date: Tue, 2 Feb 2010 04:51:04 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <3EFB5293-0CCA-41F7-B5DF-B309197EC343@gmail.com> References: <1FDF0CD4-43E2-449D-9B19-648E8A3EFC8B@xgs-france.com> To: dug X-Mailer: Apple Mail (2.1077) Cc: freebsd-pf@FreeBSD.org Subject: Re: pf and enc0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 09:51:07 -0000 But I don't "block" it, I thought default is to "pass" ? On Feb 2, 2010, at 4:48 AM, dug wrote: > Hello, >=20 > You have to allow this traffic on your enc0 interface. > It's not a bug. >=20 >=20 > Le 2 f=E9vr. 2010 =E0 10:22, Vadym Chepkov a =E9crit : >=20 >> Hi, >>=20 >> I have stumbled on a problem and I am not sure if it's a bug or a = feature. >>=20 >> very simple block rules >>=20 >> # pfctl -sr | grep block=20 >> block return in log on bge0 all >> block return in quick on bge0 from to any >> block return out quick on bge0 from any to >>=20 >> bge0 is my WAN interface, I have FreeBSD 6.4 >>=20 >> I enabled IPSEC in my kernel >>=20 >> options FAST_IPSEC >> options IPSEC_NAT_T >> device enc >> device crypto >> device cryptodev >>=20 >> and all works fine until I do 'ifconfig enc0 up' >> after that traffic coming through ipsec tunnel is getting rejected = and I can see it's recorded in pflog0 >>=20 >> I am not sure why and how to prevent this from happening. >>=20 >> Thanks, >> Vadym Chepkov_______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>=20 >=20