Date: Fri, 02 Mar 2007 12:38:27 +0000 From: Tom Judge <tom@tomjudge.com> To: Greg Hennessy <Greg.Hennessy@nviz.net> Cc: freebsd-pf@freebsd.org Subject: Re: Tracing packets passing through PF Message-ID: <45E81AC3.5020304@tomjudge.com> In-Reply-To: <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Greg Hennessy wrote: >> I actually need to see how a packet that the IPSEC code generates is >> passes through PF (What rules it is (not) matching etc). At the moment >> it seems that it is either a) not passing through pf at all, b) For >> some >> reason not matching the source routing rule. >> >> Is there anyway to see this, possibly by setting debuging to loud >> (pfctl >> -x loud) ? > > Are you filtering on the loopback by any chance ? Or have you set skip on > lo0 ? > > > > Greg > > I have the following rules on lo0: pass in quick on lo0 inet from 127.0.0.1 to 127.0.0.1 label "RULE 2 -- ACCEPT " pass out quick on lo0 inet from 127.0.0.1 to 127.0.0.1 label "RULE 2 -- ACCEPT " However the ESP packet generated by the IPSEC code still makes it out onto the network but fails to hit the source route rules: pass out quick on bge1 route-to ( bge1 xxx.xxx.xxx.161 ) inet from xxx.xxx.xxx.169 to ! xxx.xxx.xxx.160/27 keep state label "RULE 18 -- " pass out quick on bge1 route-to ( bge1 yyy.yyy.yyy.65 ) inet from yyy.yyy.yyy.79 to ! yyy.yyy.yyy.64/27 keep state label "RULE 19 -- " Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45E81AC3.5020304>