From owner-freebsd-pf@freebsd.org Tue Mar 21 13:33:38 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4C7FD16666 for ; Tue, 21 Mar 2017 13:33:38 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp-sh.infomaniak.ch (smtp-sh.infomaniak.ch [128.65.195.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.infomaniak.ch", Issuer "StartCom Class 3 OV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D6A0382 for ; Tue, 21 Mar 2017 13:33:37 +0000 (UTC) (envelope-from lists@olivarim.com) Received: from smtp6.infomaniak.ch (smtp6.infomaniak.ch [83.166.132.19]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2LDXT7B031421 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 21 Mar 2017 14:33:29 +0100 Received: from webmail.infomaniak.ch ([10.4.23.106]) (authenticated bits=0) by smtp6.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v2LDXTbe022423 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 21 Mar 2017 14:33:29 +0100 Content-Transfer-Encoding: quoted-printable Date: Tue, 21 Mar 2017 14:33:07 +0100 From: "Marin Bernard" To: "Kristof Provost" , "Miroslav Lachman" <000.fbsd@quip.cz> Cc: freebsd-pf@freebsd.org X-Webmail2-User: MTAwMzg Reply-To: lists@olivarim.com Subject: Re: Support for the enc(4) pseudo-interface Message-ID: <1490103187-a3654e05a49f29f2d47fde8327d32619@olivarim.com> X-Mailer: Infomaniak Webmail X-Origin: Y8xgjoznB//SMiGKbu86tO+eL/TieqKX66IlzxJcW2Y MIME-Version: 1.0 X-Priority: 3 (Normal) Content-Type: text/plain; charset="utf-8" X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 13:33:39 -0000 Hi, I just got it working. Here is what I have done: - Loaded the kernel module: =C2=A0=C2=A0=C2=A0 # kldload if_enc - Set the interface up: =C2=A0=C2=A0=C2=A0 # ifconfig enc0 up - Tweaked sysctl to enable tunnel filtering. Default value is 0 and=20 makes IPsec-related traffic bypass the firewall: =C2=A0=C2=A0=C2=A0 # sysctl net.inet.ipsec.filtertunnel =3D 1 - Tweaked sysctl to configure the enc(4) device. According to the man=20 page, the mechanism used by enc(4) to inject packets into packet filters is configurable with two sysctl values, one for each direction. Default=20 values are: =C2=A0=C2=A0=C2=A0 # sysctl net.enc.out.ipsec_filter_mask =C2=A0=C2=A0=C2=A0 1 =C2=A0=C2=A0=C2=A0 # sysctl net.enc.in.ipsec_filter_mask =C2=A0=C2=A0=C2=A0 1 =C2=A0=C2=A0 =C2=A0 The default value of the second sysctl leads enc(4) devices to pass=20 encrypted traffic to packet filters. As suggested by the man page, I had to set this sysctl to the recommended value of 2 to make enc(4) inject decrypted packets instead: =C2=A0=C2=A0=C2=A0 # sysctl net.enc.in.ipsec_filter_mask =3D 2 By the way, I still do not understand why the default value of this=20 sysctl is different from the suggested one. - I modified the pf ruleset to add a rule for outbound traffic on enc0: =C2=A0=C2=A0=C2=A0 # cat /etc/pf.conf =C2=A0=C2=A0=C2=A0 peers =3D "{1.2.3.4, 5.6.7.8}" =C2=A0=C2=A0=C2=A0 set skip on lo =C2=A0=C2=A0=C2=A0 block all =C2=A0=C2=A0=C2=A0 # Allow IKE =C2=A0=C2=A0=C2=A0 pass=C2=A0 in proto {tcp, udp} from $peers to self=C2=A0= =C2=A0 port isakmp =C2=A0=C2=A0=C2=A0 pass out proto {tcp, udp} from self=C2=A0=C2=A0 to $peers= =20port isakmp =C2=A0=C2=A0=C2=A0 # Allow ICMPv4 echo requests only through IPsec =C2=A0=C2=A0=C2=A0 pass=C2=A0 in on enc0 proto icmp from $peers to self=C2= =A0=C2=A0 icmp-type echoreq =C2=A0=C2=A0=C2=A0 pass out on enc0 proto icmp from self=C2=A0=C2=A0 to $peer= s icmp-type echoreq IPsec filtering seems to work fine with this config. I can confirm that ICMP traffic is encrypted. Furthermore, removing the last rules actually blocks echo requests, which is what is expected. Thanks for your help and for letting me know that the enc was available as a kernel module! Marin. 21 mars 2017 13:22 "Kristof Provost" a =C3=A9crit: > On 21 Mar 2017, at 12:44, Miroslav Lachman wrote:=20 > > Kristof Provost wrote on 2017/03/21 10:18:=20 > >> On 21 Mar 2017, at 9:43, Marin Bernard wrote:=20 > >=20 > >>> If there is no SA, it is impossible for a peer to ping another. As=20 > >>> soon=20 > >>> as IKE creates a SA, however, ping starts working. As you can see,=20 > >>> the last rule is explicitely bound to the inexistent enc0 interface,= =20 > >>> and=20 > >>> yet is working fine.=20 > >>>=20 > >> Can you try without the enc0 rule? I suspect that what=E2=80=99s happen= ing=20 > >> here=20 > >> is that=20 > >> the IPSec traffic is bypassing the firewall altogether. If that's the= =20 > >> case the=20 > >> your traffic will still flow, even without the pass on enc0 rule.=20 > >>=20 > >> If you want to filter on it it should work if you add =E2=80=98device= =20 > >> enc=E2=80=99 to your=20 > >> kernel config. The man page suggests that should then allow you to=20 > >> filter IPSec=20 > >> traffic on enc0.=20 > >=20 > > Shouldn't it be included in GENERIC if IPSec is now part of it? It=20 > > seems=20 > > illogical to build own kernel for IPsec if IPSec was included in=20 > > GENERIC for=20 > > 11.0 ... but without enc.=20 > >=20 > Yeah, perhaps it should be.=20 > =20 > I=E2=80=99ve not used it myself, so I don=E2=80=99t know if/how well it wo= rks now,=20 > but unless=20 > it breaks things or introduces significant performance regressions we=20 > should=20 > probably turn it on too.=20 > =20 > Martin, could you give us an idea of how well this works for you when=20 > you=E2=80=99ve=20 > got the time to set it up?=20 > =20 > Regards,=20 > Kristof=20