Date: Sun, 25 Mar 2007 20:19:31 +0200 From: Andre Albsmeier <Andre.Albsmeier@siemens.com> To: Andrew Thompson <thompsa@freebsd.org> Cc: Volker <volker@vwsoft.com>, Andre Albsmeier <Andre.Albsmeier@siemens.com>, freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf Message-ID: <20070325181931.GA51689@curry.mchp.siemens.de> In-Reply-To: <20070324185928.GC45070@heff.fud.org.nz> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 25-Mar-2007 at 06:59:28 +1200, Andrew Thompson wrote:
> On Sat, Mar 24, 2007 at 02:19:46PM +0100, Volker wrote:
> > Andre,
> >
> > On 12/23/-58 20:59, Andre Albsmeier wrote:
> > > [Retrying on -pf...]
> > >
> > > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.)
> > >
> > > Just to make things clear: IPSEC works (as it did for years), I'm
> > > just not able to control the incoming packets with enc0 in pf.
> >
> > On the other side, I've played with device enc a few weeks ago and
> > was asking for clarification on net@ but didn't get any reply.
> >
> > What's really strange is packets coming through an IPSec tunnel can
> > be seen by pf on device enc but packets are still passing through
> > even if device enc0 is down.
>
> The code does check if the interface is running but if its not then just
> passes the packet through unhindered. Do you think it should behave like
> you describe where the packets are dropped?
>
> See line 204, change the check to this
> if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) {
> m_freem(*mp);
> return (-1);
> }
>
> > So from my experience device enc currently is a bit strange in
> > behavior (at least on -STABLE). Also AFAIR I haven't been able to
> > block packets on device enc0 using pf. I suspect device enc is
> > currently a bit of a hack and currently probably only useful for
> > packet / connection logging but not for real firewalling. You might
> > check out if you're able to block anything on enc0 (my memories
> > might be wrong) and play with it a bit.
>
> This should work as you say and if its not then thats a bug. Can you log
> the packets with pflog to check they are being blocked.
Not being Volker :-) but I just added
block out log quick on enc0
to pf.conf, sent out a single ping packet and while it was
properly blocked it also appeared in the logs:
Mar 25 20:01:32 <local0.warn> gate pflogd: @7 block out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (ech
o)
So, yes, you can control outgoing packets using enc0 with pf
but not incoming ones.
-Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070325181931.GA51689>