Date: Thu, 14 Apr 2005 05:17:10 -0500 From: "Edwin L. Culp" <eculp@encontacto.net> To: freebsd-pf@freebsd.org Subject: Re: pflog and traffic via gif_if Message-ID: <20050414051710.c0rda3krnokscwk4@mail.encontacto.net> In-Reply-To: <ee918c780504140047d7ae165@mail.gmail.com> References: <ee918c7805041200513d8f36a@mail.gmail.com> <ee918c7805041309063d83d732@mail.gmail.com> <79722fad05041312472ac3a460@mail.gmail.com> <ee918c78050413131448a22c86@mail.gmail.com> <79722fad0504131316236b50f5@mail.gmail.com> <ee918c780504140047d7ae165@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting stephen <dinzdale@gmail.com>:
> On 4/13/05, Vlad GALU <vladgalu@gmail.com> wrote:
>> On 4/13/05, stephen <dinzdale@gmail.com> wrote:
>> > On 4/13/05, Vlad GALU <vladgalu@gmail.com> wrote:
>> > > On 4/13/05, stephen <dinzdale@gmail.com> wrote:
>> > > You're not allowing any ipencap traffic on your tun interface. One
>> > > more thing: you have "block in on $ext_if all" twice.
>> > >
>> >
>> > Ah yeah... I do have it correct in my pf.conf, it was because i was
>> > replacing all the variables back to what they should be.. must've lost
>> > concentration as I was sending this mail just as my ride home arrived.
>> >
>> > Can you tell me more about allowing ipencap please?
>> >
>> gif interfaces use an encapsulation named "ipencap" (grep ipencap
>> /etc/protocols, you'll see it mentioned there). All you have to do is
>> to permit that type of protocol to flow in and out your tun interface.
>> this should do it.
>
> ok, we're making progress!
> I added the rules:
>
> pass in on $ext_if inet proto ipencap from any to any keep state
> pass out on $ext_if inet proto ipencap from any to any keep state
>
> I dont think I'd need the keep state as I'm passing all in and out,
> but through it in there anyway..
>
> Thu Apr 14 09:37:23 root@bollox:/home/stephen# ping -c 3 10.0.89.254
> PING 10.0.89.254 (10.0.89.254): 56 data bytes
>
> --- 10.0.89.254 ping statistics ---
> 3 packets transmitted, 0 packets received, 100% packet loss
>
> Thu Apr 14 09:37:47 root@bollox:/home/stephen# ping -c 3 www.iol.co.za
> PING www.iol.co.za (196.30.168.79): 56 data bytes
> 64 bytes from 196.30.168.79: icmp_seq=0 ttl=58 time=48.192 ms
> 64 bytes from 196.30.168.79: icmp_seq=1 ttl=58 time=46.719 ms
> 64 bytes from 196.30.168.79: icmp_seq=2 ttl=58 time=49.637 ms
>
> --- www.iol.co.za ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 46.719/48.183/49.637/1.191 ms
>
>
> I've now gone from 'operation not permitted' to no ping response when
> pinging 10.0.89.254 (end point of tunnel). doesn't look like an icmp
> issue as I can ping www.iol.co.za via tun0 w/o a problem.
Just wondering if this could have something to do with what you are seeing
The gif device does not translate ICMP messages for the outer header into
the inner header.
From the gif man page. I've never used gif so this is a learning
opportunity ;)
Good luck,
ed
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050414051710.c0rda3krnokscwk4>