From owner-freebsd-pf@FreeBSD.ORG Sun Mar 25 18:19:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 178B416A401 for ; Sun, 25 Mar 2007 18:19:34 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx1.freebsd.org (Postfix) with ESMTP id 67DEA13C45E for ; Sun, 25 Mar 2007 18:19:33 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from mail3.siemens.de (localhost [127.0.0.1]) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id l2PIJWlB019892; Sun, 25 Mar 2007 20:19:32 +0200 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id l2PIJVpx022412; Sun, 25 Mar 2007 20:19:31 +0200 Received: (from localhost) by curry.mchp.siemens.de (8.13.8/8.13.8) id l2PIJVpK011429; Date: Sun, 25 Mar 2007 20:19:31 +0200 From: Andre Albsmeier To: Andrew Thompson Message-ID: <20070325181931.GA51689@curry.mchp.siemens.de> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070324185928.GC45070@heff.fud.org.nz> X-Echelon: X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Volker , Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Mar 2007 18:19:34 -0000 On Sun, 25-Mar-2007 at 06:59:28 +1200, Andrew Thompson wrote: > On Sat, Mar 24, 2007 at 02:19:46PM +0100, Volker wrote: > > Andre, > > > > On 12/23/-58 20:59, Andre Albsmeier wrote: > > > [Retrying on -pf...] > > > > > > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.) > > > > > > Just to make things clear: IPSEC works (as it did for years), I'm > > > just not able to control the incoming packets with enc0 in pf. > > > > On the other side, I've played with device enc a few weeks ago and > > was asking for clarification on net@ but didn't get any reply. > > > > What's really strange is packets coming through an IPSec tunnel can > > be seen by pf on device enc but packets are still passing through > > even if device enc0 is down. > > The code does check if the interface is running but if its not then just > passes the packet through unhindered. Do you think it should behave like > you describe where the packets are dropped? > > See line 204, change the check to this > if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) { > m_freem(*mp); > return (-1); > } > > > So from my experience device enc currently is a bit strange in > > behavior (at least on -STABLE). Also AFAIR I haven't been able to > > block packets on device enc0 using pf. I suspect device enc is > > currently a bit of a hack and currently probably only useful for > > packet / connection logging but not for real firewalling. You might > > check out if you're able to block anything on enc0 (my memories > > might be wrong) and play with it a bit. > > This should work as you say and if its not then thats a bug. Can you log > the packets with pflog to check they are being blocked. Not being Volker :-) but I just added block out log quick on enc0 to pf.conf, sent out a single ping packet and while it was properly blocked it also appeared in the logs: Mar 25 20:01:32 gate pflogd: @7 block out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (ech o) So, yes, you can control outgoing packets using enc0 with pf but not incoming ones. -Andre