Date: Sun, 25 Mar 2007 19:59:24 +0200 From: Andre Albsmeier <Andre.Albsmeier@siemens.com> To: Volker <volker@vwsoft.com> Cc: Andre Albsmeier <Andre.Albsmeier@siemens.com>, freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf Message-ID: <20070325175924.GA51473@curry.mchp.siemens.de> In-Reply-To: <46052572.9070402@vwsoft.com> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 24-Mar-2007 at 14:19:46 +0100, Volker wrote:
> Andre,
>
> On 12/23/-58 20:59, Andre Albsmeier wrote:
> > [Retrying on -pf...]
> >
> > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.)
> >
> > Yesterday I started to play around with enc0 in pf. I hoped I
> > could now control IPSEC traffic in the standard way with pf rules
> > but it seems that only outgoing packets hit enc0. I added a
> >
> > pass quick log on enc0 all
>
> Do you really use that rule? If you're using a 'keep state' option
For playing around, yes.
> this would give the behavior you're experiencing.
That's why I didn't use 'keep state' :-).
>
> > on top of all pf rules. When sending a single ping packet to
> > the remote side everything works but the only thing I see is
> >
> > Mar 18 10:20:11 <local0.warn> gate pflogd: @0 pass out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (echo)
> >
> > (192.168.164.81 is my local gif0 address and 10.0.1.32 the remote).
> >
> > However, when running a tcpdump on enc0 we see the answer as well:
> >
> > listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 1550 bytes
> > 10:20:11.475041 (authentic,confidential): SPI 0x50521518: IP A.B.C.D > E.F.G.H: IP 192.168.164.81 > 10.0.1.32: ICMP echo request, id 3631, seq 0, length 64 (ipip-proto-4)
> > 10:20:11.560430 (authentic,confidential): SPI 0x0cf2344e: IP E.F.G.H > A.B.C.D: IP 10.0.1.32 > 192.168.164.81: ICMP echo reply, id 3631, seq 0, length 64 (ipip-proto-4)
> >
> > (A.B.C.D is my local gif0 tunnel endpoint and E.F.G.H the remote).
> >
> > Just to make things clear: IPSEC works (as it did for years), I'm
> > just not able to control the incoming packets with enc0 in pf.
>
> Not really what you're asking for but... I think you won't like to
> see _every_ packet in the firewall logs. Instead you really want to
Yes, for now I want to see every packet :-). Later, of course,
there will be one outgoing state-keeping rule and and another
incoming one to allow specific things additionally.
-Andre
--
"Regression testing? What's that? If it compiles,
it is good, if it boots up, it is perfect."
- Linus Torvalds
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070325175924.GA51473>