From owner-freebsd-questions@FreeBSD.ORG  Sat Jan  5 21:26:03 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 61D3F16A417
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Jan 2008 21:26:03 +0000 (UTC)
	(envelope-from norman@apache.org)
Received: from vs159071.vserver.de (hiphopcorner.de [62.75.159.71])
	by mx1.freebsd.org (Postfix) with ESMTP id 34AAE13C43E
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Jan 2008 21:26:02 +0000 (UTC)
	(envelope-from norman@apache.org)
Received: from [192.168.0.29] (IP-213157018232.static.heagmedianet.de
	[213.157.18.232])
	by vs159071.vserver.de (Postfix) with ESMTP id 49152BE85E2
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Jan 2008 20:59:47 +0000 (UTC)
From: Norman Maurer <norman@apache.org>
To: freebsd-questions@freebsd.org
Content-Type: text/plain
Date: Sat, 05 Jan 2008 21:59:39 +0100
Message-Id: <1199566779.5513.5.camel@norman-laptop>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.1 
Content-Transfer-Encoding: 7bit
Subject: PF and fitering statefull on GIF interface
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jan 2008 21:26:03 -0000

Hi all,

im using FreeBSD 6.2-p9 on my server which acts as IPSec router using ipsec-tools. This works fine...
But now i need to filter traffic which comes from the local private network to the vpn private network. I tried todo this with pf and using keep state. The return packets just get dropped. 
So I reread the gif manpage and read about the IPSEC_FILTERGIF option. I rebuilded the kernel with the option and tried it again. No luck!

So I suspect this option is only valid for ipfw and ipf ? 

Any idea how i can use pf + ipsec ( over gif interface ) to filter the needed stuff.
This for example not work:

LOCAL_NET = 10.0.0.0/24
VPN_REMOTE_NET = 192.168.10.0/28

pass proto tcp from $LOCAL_NET to $VPN_REMOTE_NET port 22 flags S/SA keep state


This works:

LOCAL_NET = 10.0.0.0/24
VPN_REMOTE_NET = 192.168.10.0/28

pass proto tcp from $LOCAL_NET to $VPN_REMOTE_NET port 22
pass proto tcp from $VPN_REMOTE_NET port 22 to $LOCAL_NET

Thx for the help

bye
Norman