Date: Mon, 26 Mar 2007 14:39:50 +0200 From: Volker <volker@vwsoft.com> To: Andre Albsmeier <Andre.Albsmeier@siemens.com> Cc: Andrew Thompson <thompsa@freebsd.org>, freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf Message-ID: <4607BF16.7010408@vwsoft.com> In-Reply-To: <20070326064707.GA83792@curry.mchp.siemens.de> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> <46071AAC.2020101@vwsoft.com> <20070326064707.GA83792@curry.mchp.siemens.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/26/07 08:47, Andre Albsmeier wrote: > On Mon, 26-Mar-2007 at 02:58:20 +0200, Volker wrote: >> Andrew, Andre & all, >> >> I've checked it out once more (with a corrected setup) and now have >> been able to block traffic on enc0 in both directions (no matter if >> the tunnel endpoint is final destination or not). > > Does that mean that a rule > > block in log quick on enc0 > > on top of all rules actually blocks anything (assuming you don't > have another state-keeping outgoing rule for enc0)? Yes, that's what it does. I've restricted traffic on the enc interface for ICMP only in and out (I've tested in a production environment, so I needed not to disturb any other legitimate traffic) but I've been able to block that traffic. As I've written in a private message (this goes for the archives here...) I've had trouble blocking traffic on enc0 with a version pre 6.2-RELEASE. Now (with 6.2-RELEASE and up) enc(4) does seem to work properly. There should go just one simple note into man for the fact, that enc will unconditionally pass all traffic if the interface is down. Also, currently enc is not even in NOTES. HTH, Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4607BF16.7010408>