Date: Thu, 14 Apr 2005 09:47:07 +0200 From: stephen <dinzdale@gmail.com> To: Vlad GALU <vladgalu@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pflog and traffic via gif_if Message-ID: <ee918c780504140047d7ae165@mail.gmail.com> In-Reply-To: <79722fad0504131316236b50f5@mail.gmail.com> References: <ee918c7805041200513d8f36a@mail.gmail.com> <ee918c7805041309063d83d732@mail.gmail.com> <79722fad05041312472ac3a460@mail.gmail.com> <ee918c78050413131448a22c86@mail.gmail.com> <79722fad0504131316236b50f5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/13/05, Vlad GALU <vladgalu@gmail.com> wrote: > On 4/13/05, stephen <dinzdale@gmail.com> wrote: > > On 4/13/05, Vlad GALU <vladgalu@gmail.com> wrote: > > > On 4/13/05, stephen <dinzdale@gmail.com> wrote: > > > You're not allowing any ipencap traffic on your tun interface. One > > > more thing: you have "block in on $ext_if all" twice. > > > > > > > Ah yeah... I do have it correct in my pf.conf, it was because i was > > replacing all the variables back to what they should be.. must've lost > > concentration as I was sending this mail just as my ride home arrived. > > > > Can you tell me more about allowing ipencap please? > > > gif interfaces use an encapsulation named "ipencap" (grep ipencap > /etc/protocols, you'll see it mentioned there). All you have to do is > to permit that type of protocol to flow in and out your tun interface. > this should do it. ok, we're making progress! I added the rules: pass in on $ext_if inet proto ipencap from any to any keep state pass out on $ext_if inet proto ipencap from any to any keep state I dont think I'd need the keep state as I'm passing all in and out, but through it in there anyway.. Thu Apr 14 09:37:23 root@bollox:/home/stephen# ping -c 3 10.0.89.254 PING 10.0.89.254 (10.0.89.254): 56 data bytes --- 10.0.89.254 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss Thu Apr 14 09:37:47 root@bollox:/home/stephen# ping -c 3 www.iol.co.za PING www.iol.co.za (196.30.168.79): 56 data bytes 64 bytes from 196.30.168.79: icmp_seq=3D0 ttl=3D58 time=3D48.192 ms 64 bytes from 196.30.168.79: icmp_seq=3D1 ttl=3D58 time=3D46.719 ms 64 bytes from 196.30.168.79: icmp_seq=3D2 ttl=3D58 time=3D49.637 ms --- www.iol.co.za ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev =3D 46.719/48.183/49.637/1.191 ms I've now gone from 'operation not permitted' to no ping response when pinging 10.0.89.254 (end point of tunnel). doesn't look like an icmp issue as I can ping www.iol.co.za via tun0 w/o a problem. perhaps I should stop looking at this problem and try rectify my pflog problem as I'm sure it'll help tell me what to look at rather than posting step by step =3D] (although I'm helping one day this'll help someone else cause had me baffled for a while and couldnt find anything on the web) Thanks for help thus far =3D] Stephen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ee918c780504140047d7ae165>