From owner-freebsd-pf@FreeBSD.ORG  Tue Oct 25 09:57:49 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0980216A41F
	for <freebsd-pf@freebsd.org>; Tue, 25 Oct 2005 09:57:49 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from corwin.easynet.fr (smarthost168.mail.easynet.fr [212.180.1.168])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9CCD843D45
	for <freebsd-pf@freebsd.org>; Tue, 25 Oct 2005 09:57:47 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233]
	helo=smtp.zeninc.net) by corwin.easynet.fr with esmtp (Exim 4.50)
	id 1EULYw-0004sX-DB
	for freebsd-pf@freebsd.org; Tue, 25 Oct 2005 11:57:46 +0200
Received: from localhost.localdomain (spartacus.zen.inc [192.168.1.20])
	by smtp.zeninc.net (smtpd) with ESMTP id D06DF3F17
	for <freebsd-pf@freebsd.org>; Tue, 25 Oct 2005 11:57:45 +0200 (CEST)
Received: by localhost.localdomain (Postfix, from userid 1000)
	id CA28085609; Tue, 25 Oct 2005 11:57:45 +0200 (CEST)
Date: Tue, 25 Oct 2005 11:57:45 +0200
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-pf@freebsd.org
Message-ID: <20051025095745.GA2581@zeninc.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: All mail clients suck. This one just sucks less.
Subject: Filtering IPSec traffic ?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2005 09:57:49 -0000


Hi all.

When setting up IPSec gates with traffic filtering (using pf, of
course), I didn't find any solution / informations about how to filter
IPSec traffic, except when using gif interfaces.

On OpenBSD, it looks like all IPSec traffic comes from enc0, on
Linux/Netfilter, they have for example the --mode tunnel to ensure the
current packet comes from an IPSec tunnel, but how can I set up a
filtering rule on FreeBSD, with pf, which specifies that a packet can
only match if it was encapsulated ?


Yvan.