From owner-freebsd-pf@FreeBSD.ORG Thu Apr 14 07:47:08 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A163D16A4CE for ; Thu, 14 Apr 2005 07:47:08 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D92C43D66 for ; Thu, 14 Apr 2005 07:47:08 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so316564rnf for ; Thu, 14 Apr 2005 00:47:07 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qFiUuTRyGsZMHPEoPvP2MFSG4TT8HVEzgYYif+U9BX0BKd07SVG6WJoaXWdeyrrwaWyuh/XxUs0D029PbKArfdptUVpNQVeKzIE/MYllJNxL2VzHxdJcnggYKfOZvriFJkKaKADMnpKk/+w2612NApvV+ATFburya0mb83ZLOLw= Received: by 10.38.66.62 with SMTP id o62mr1594100rna; Thu, 14 Apr 2005 00:47:07 -0700 (PDT) Received: by 10.38.11.55 with HTTP; Thu, 14 Apr 2005 00:47:07 -0700 (PDT) Message-ID: Date: Thu, 14 Apr 2005 09:47:07 +0200 From: stephen To: Vlad GALU In-Reply-To: <79722fad0504131316236b50f5@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <79722fad05041312472ac3a460@mail.gmail.com> <79722fad0504131316236b50f5@mail.gmail.com> cc: freebsd-pf@freebsd.org Subject: Re: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Apr 2005 07:47:08 -0000 On 4/13/05, Vlad GALU wrote: > On 4/13/05, stephen wrote: > > On 4/13/05, Vlad GALU wrote: > > > On 4/13/05, stephen wrote: > > > You're not allowing any ipencap traffic on your tun interface. One > > > more thing: you have "block in on $ext_if all" twice. > > > > > > > Ah yeah... I do have it correct in my pf.conf, it was because i was > > replacing all the variables back to what they should be.. must've lost > > concentration as I was sending this mail just as my ride home arrived. > > > > Can you tell me more about allowing ipencap please? > > > gif interfaces use an encapsulation named "ipencap" (grep ipencap > /etc/protocols, you'll see it mentioned there). All you have to do is > to permit that type of protocol to flow in and out your tun interface. > this should do it. ok, we're making progress! I added the rules: pass in on $ext_if inet proto ipencap from any to any keep state pass out on $ext_if inet proto ipencap from any to any keep state I dont think I'd need the keep state as I'm passing all in and out, but through it in there anyway.. Thu Apr 14 09:37:23 root@bollox:/home/stephen# ping -c 3 10.0.89.254 PING 10.0.89.254 (10.0.89.254): 56 data bytes --- 10.0.89.254 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss Thu Apr 14 09:37:47 root@bollox:/home/stephen# ping -c 3 www.iol.co.za PING www.iol.co.za (196.30.168.79): 56 data bytes 64 bytes from 196.30.168.79: icmp_seq=3D0 ttl=3D58 time=3D48.192 ms 64 bytes from 196.30.168.79: icmp_seq=3D1 ttl=3D58 time=3D46.719 ms 64 bytes from 196.30.168.79: icmp_seq=3D2 ttl=3D58 time=3D49.637 ms --- www.iol.co.za ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev =3D 46.719/48.183/49.637/1.191 ms I've now gone from 'operation not permitted' to no ping response when pinging 10.0.89.254 (end point of tunnel). doesn't look like an icmp issue as I can ping www.iol.co.za via tun0 w/o a problem. perhaps I should stop looking at this problem and try rectify my pflog problem as I'm sure it'll help tell me what to look at rather than posting step by step =3D] (although I'm helping one day this'll help someone else cause had me baffled for a while and couldnt find anything on the web) Thanks for help thus far =3D] Stephen