From owner-freebsd-pf@FreeBSD.ORG Wed Oct 12 04:50:04 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34DFB106564A for ; Wed, 12 Oct 2011 04:50:04 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe6.ukr.net (ffe6.ukr.net [195.214.192.56]) by mx1.freebsd.org (Postfix) with ESMTP id D3EAB8FC13 for ; Wed, 12 Oct 2011 04:50:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=c7f4jJk1Nzs5s0QSYzmLaTSr8F3yGAFMeDgD5Fi8/Bg=; b=YPoehWrh/dvQ6N0DVwov2m+Jx3qPG0qcDlbl65LsDLBdH95gKYmsAlDIDUfgoa59qbZcCOQVuet7pDWFfi3f1olhSUWKRIdEfvLkSQzqS3GxG8ervZvV82skWKeQBskIaknIfCFDEhtKi0nt+fULUXE2BYo6eEuzWczhrlGijnE=; Received: from mail by ffe6.ukr.net with local ID 1RDqlV-000DjR-An ; Wed, 12 Oct 2011 07:50:01 +0300 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" In-Reply-To: <3E6628B4-CABB-41C3-8630-681F08690ABF@lists.zabbadoz.net> References: <94876.1318358460.12206338191212019712@ffe11.ukr.net> <3E6628B4-CABB-41C3-8630-681F08690ABF@lists.zabbadoz.net> To: " Bjoern A. Zeeb" From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.65] Message-Id: <52623.1318395001.5638287628313755648@ffe6.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Date: Wed, 12 Oct 2011 07:50:01 +0300 Cc: freebsd-pf@freebsd.org Subject: Re: Filtering inside IPSec tunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2011 04:50:04 -0000 --- Original Message --- From: " Bjoern A. Zeeb" To: " Michael Proto" Date: 11 October 2011, 23:24:39 Subject: Re: Filtering inside IPSec tunnel > On 11. Oct 2011, at 19:37 , Michael Proto wrote: > > > 2011/10/11 Виталий Владимирович : > >> > >> I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can filtering traffic inside tunnel with PF. > >> > >> pf.conf > >> > >> ...... > >> > >> ipsec_if="gif0" > >> > >> ....... > >> block in all > >> block out all > >> > >> ### EXT_IF_OUT > >> > >> pass out log quick on $ext_if inet from ($ext_if) to any modulate state > >> > >> ### EXT_IF_IN > >> > >> pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500 > >> pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to ($ext_if) > >> > >> ### IPSec VPN INTERFACE > >> #pass in quick on $ipsec_if inet from any to $ipsec_if > >> #pass out quick on $ipsec_if inet from $ipsec_if to any > >> block quick on $ipsec_if > >> > >> But I still ping the second point of IPSec tunnel. > >> Where is my mistake? > > > > IIRC you also need the following in your kernel config: > > > > options IPSEC_FILTERTUNNEL > > > > (I think it used to be called IPSEC_FILTERGIF, depending on what > > version of FreeBSD you're running) > > > yes and there are sysctls these days: > > net.inet.ipsec.filtertunnel: 1 > net.inet6.ipsec6.filtertunnel: 1 > Thanks guys. It works fine!