Date: Tue, 21 Mar 2017 12:44:01 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: Kristof Provost <kristof@sigsegv.be>, Marin Bernard <lists@olivarim.com> Cc: freebsd-pf@freebsd.org Subject: Re: Support for the enc(4) pseudo-interface Message-ID: <58D11201.1000403@quip.cz> In-Reply-To: <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be> References: <1490085811-bc1aa9c7b83aeddb9dee198bc4071b35@olivarim.com> <44FBCEF5-6151-46FF-A166-81E7306914CC@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
Kristof Provost wrote on 2017/03/21 10:18: > On 21 Mar 2017, at 9:43, Marin Bernard wrote: >> If there is no SA, it is impossible for a peer to ping another. As soon >> as IKE creates a SA, however, ping starts working. As you can see, >> the last rule is explicitely bound to the inexistent enc0 interface, and >> yet is working fine. >> > Can you try without the enc0 rule? I suspect that what’s happening here > is that > the IPSec traffic is bypassing the firewall altogether. If that's the > case the > your traffic will still flow, even without the pass on enc0 rule. > > If you want to filter on it it should work if you add ‘device enc’ to your > kernel config. The man page suggests that should then allow you to > filter IPSec > traffic on enc0. Shouldn't it be included in GENERIC if IPSec is now part of it? It seems illogical to build own kernel for IPsec if IPSec was included in GENERIC for 11.0 ... but without enc. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58D11201.1000403>