From owner-freebsd-pf@FreeBSD.ORG Mon Mar 26 00:58:39 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C0C1616A401; Mon, 26 Mar 2007 00:58:39 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 8060313C45B; Mon, 26 Mar 2007 00:58:39 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cee.q.ppp-pool.de [89.53.124.238]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 6A9A412883F; Mon, 26 Mar 2007 02:58:33 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 386523F4E8; Mon, 26 Mar 2007 02:58:22 +0200 (CEST) Message-ID: <46071AAC.2020101@vwsoft.com> Date: Mon, 26 Mar 2007 02:58:20 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Andrew Thompson References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> In-Reply-To: <20070324185928.GC45070@heff.fud.org.nz> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 00:58:39 -0000 Andrew, Andre & all, I've checked it out once more (with a corrected setup) and now have been able to block traffic on enc0 in both directions (no matter if the tunnel endpoint is final destination or not). Sorry for my first false posting. In this test case both machines (tunnel endpoints) are: FreeBSD ... 6.2-RELEASE-p1 FreeBSD 6.2-RELEASE-p1 #0: Sun Feb 11 22:35:18 CET 2007 root@...:/usr/obj/usr/src/sys/GwMbg i386 One machine is using racoon (ipsec-tools), the other is using racoon2. `ifconfig enc0': enc0: flags=41 mtu 1536 relevant kernconf parts: options FAST_IPSEC device random device enc device crypto Andre: If you still have trouble getting IPSec + enc0 + pf to work, please post me a private message. I know it's hard to find someone who has a working IPSec setup and is willing to help. At least my test setup shows it is not just possible to block traffic on device enc0 using pf, but to see all traffic in the pf logs (if being configured to do so). Probably you're willing to show us your pf rules to have a look at it? Have pfun! ;) Volker