Date: Sun, 25 Mar 2007 19:59:24 +0200 From: Andre Albsmeier <Andre.Albsmeier@siemens.com> To: Volker <volker@vwsoft.com> Cc: Andre Albsmeier <Andre.Albsmeier@siemens.com>, freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf Message-ID: <20070325175924.GA51473@curry.mchp.siemens.de> In-Reply-To: <46052572.9070402@vwsoft.com> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 24-Mar-2007 at 14:19:46 +0100, Volker wrote: > Andre, > > On 12/23/-58 20:59, Andre Albsmeier wrote: > > [Retrying on -pf...] > > > > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.) > > > > Yesterday I started to play around with enc0 in pf. I hoped I > > could now control IPSEC traffic in the standard way with pf rules > > but it seems that only outgoing packets hit enc0. I added a > > > > pass quick log on enc0 all > > Do you really use that rule? If you're using a 'keep state' option For playing around, yes. > this would give the behavior you're experiencing. That's why I didn't use 'keep state' :-). > > > on top of all pf rules. When sending a single ping packet to > > the remote side everything works but the only thing I see is > > > > Mar 18 10:20:11 <local0.warn> gate pflogd: @0 pass out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (echo) > > > > (192.168.164.81 is my local gif0 address and 10.0.1.32 the remote). > > > > However, when running a tcpdump on enc0 we see the answer as well: > > > > listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 1550 bytes > > 10:20:11.475041 (authentic,confidential): SPI 0x50521518: IP A.B.C.D > E.F.G.H: IP 192.168.164.81 > 10.0.1.32: ICMP echo request, id 3631, seq 0, length 64 (ipip-proto-4) > > 10:20:11.560430 (authentic,confidential): SPI 0x0cf2344e: IP E.F.G.H > A.B.C.D: IP 10.0.1.32 > 192.168.164.81: ICMP echo reply, id 3631, seq 0, length 64 (ipip-proto-4) > > > > (A.B.C.D is my local gif0 tunnel endpoint and E.F.G.H the remote). > > > > Just to make things clear: IPSEC works (as it did for years), I'm > > just not able to control the incoming packets with enc0 in pf. > > Not really what you're asking for but... I think you won't like to > see _every_ packet in the firewall logs. Instead you really want to Yes, for now I want to see every packet :-). Later, of course, there will be one outgoing state-keeping rule and and another incoming one to allow specific things additionally. -Andre -- "Regression testing? What's that? If it compiles, it is good, if it boots up, it is perfect." - Linus Torvalds
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070325175924.GA51473>