From owner-freebsd-net@FreeBSD.ORG Wed Feb 1 08:06:30 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 3C3721065670 for ; Wed, 1 Feb 2012 08:06:30 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-150-251.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 4BFA91504DE; Wed, 1 Feb 2012 08:06:29 +0000 (UTC) Message-ID: <4F28F284.7070301@FreeBSD.org> Date: Wed, 01 Feb 2012 00:06:28 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:9.0) Gecko/20120129 Thunderbird/9.0 MIME-Version: 1.0 To: Eugene Grosbein References: <4F28C168.9010206@ericx.net> <4F28E1C7.4060209@grosbein.pp.ru> In-Reply-To: <4F28E1C7.4060209@grosbein.pp.ru> X-Enigmail-Version: 1.3.5 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org Subject: Re: allowing gif thru ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 08:06:30 -0000 If it's a hurricane electric tunnel don't you want protocol 41? On 01/31/2012 22:55, Eugene Grosbein wrote: > 01.02.2012 11:36, Eric W. Bates пишет: >> Seems like a silly question; but how does one allow the packets >> composing a gif tunnel thru ipfw? >> >> I assumed a gif was made up of ipencap (IP proto 4) packets and added rules: >> >> $fwcmd add 00140 allow ipencap from $he_tun to me >> $fwcmd add 00141 allow ipencap from me to $he_tun >> >> ($he_tun is an Hurricane Electric provider); but neither of them are >> hit; so that's wrong... >> >> tcpdump -i em_vlan5 -nnvvs0 ip proto 4 >> >> doesn't show any packets either... > > Try: > > tcpdump -i em_vlan5 -nnvvs0 host $he_tun and not tcp and not udp and not icmp > > Perhaps, you gif is encrypted with ipsec? That changes ip protocol numbers. > > Eugene Grosbein > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/