From owner-freebsd-pf@FreeBSD.ORG Thu Apr 14 10:17:14 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E290A16A4CE for ; Thu, 14 Apr 2005 10:17:14 +0000 (GMT) Received: from mail.bosquedeniebla.com (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 596B143D6A for ; Thu, 14 Apr 2005 10:17:14 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from dsl-201-144-86-223.prod-infinitum.com.mx ([201.144.86.223]) by mail.bosquedeniebla.com with esmtp; Thu, 14 Apr 2005 05:17:12 -0500 id 00095C97.425E4329.0000FA19 Received: from localhost (localhost [127.0.0.1]) (uid 80) by dsl-201-144-86-223.prod-infinitum.com.mx with local; Thu, 14 Apr 2005 05:17:10 -0500 Received: from localhost.encontacto.net (localhost.encontacto.net [127.0.0.1]) by mail.encontacto.net (Horde MIME library) with HTTP for ; Thu, 14 Apr 2005 05:17:10 -0500 Message-ID: <20050414051710.c0rda3krnokscwk4@mail.encontacto.net> Date: Thu, 14 Apr 2005 05:17:10 -0500 From: "Edwin L. Culp" To: freebsd-pf@freebsd.org References: <79722fad05041312472ac3a460@mail.gmail.com> <79722fad0504131316236b50f5@mail.gmail.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Subject: Re: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Apr 2005 10:17:15 -0000 Quoting stephen : > On 4/13/05, Vlad GALU wrote: >> On 4/13/05, stephen wrote: >> > On 4/13/05, Vlad GALU wrote: >> > > On 4/13/05, stephen wrote: >> > > You're not allowing any ipencap traffic on your tun interface. One >> > > more thing: you have "block in on $ext_if all" twice. >> > > >> > >> > Ah yeah... I do have it correct in my pf.conf, it was because i was >> > replacing all the variables back to what they should be.. must've lost >> > concentration as I was sending this mail just as my ride home arrived. >> > >> > Can you tell me more about allowing ipencap please? >> > >> gif interfaces use an encapsulation named "ipencap" (grep ipencap >> /etc/protocols, you'll see it mentioned there). All you have to do is >> to permit that type of protocol to flow in and out your tun interface. >> this should do it. > > ok, we're making progress! > I added the rules: > > pass in on $ext_if inet proto ipencap from any to any keep state > pass out on $ext_if inet proto ipencap from any to any keep state > > I dont think I'd need the keep state as I'm passing all in and out, > but through it in there anyway.. > > Thu Apr 14 09:37:23 root@bollox:/home/stephen# ping -c 3 10.0.89.254 > PING 10.0.89.254 (10.0.89.254): 56 data bytes > > --- 10.0.89.254 ping statistics --- > 3 packets transmitted, 0 packets received, 100% packet loss > > Thu Apr 14 09:37:47 root@bollox:/home/stephen# ping -c 3 www.iol.co.za > PING www.iol.co.za (196.30.168.79): 56 data bytes > 64 bytes from 196.30.168.79: icmp_seq=0 ttl=58 time=48.192 ms > 64 bytes from 196.30.168.79: icmp_seq=1 ttl=58 time=46.719 ms > 64 bytes from 196.30.168.79: icmp_seq=2 ttl=58 time=49.637 ms > > --- www.iol.co.za ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 46.719/48.183/49.637/1.191 ms > > > I've now gone from 'operation not permitted' to no ping response when > pinging 10.0.89.254 (end point of tunnel). doesn't look like an icmp > issue as I can ping www.iol.co.za via tun0 w/o a problem. Just wondering if this could have something to do with what you are seeing The gif device does not translate ICMP messages for the outer header into the inner header. From the gif man page. I've never used gif so this is a learning opportunity ;) Good luck, ed