From owner-freebsd-net@FreeBSD.ORG  Wed Feb  1 06:55:32 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5A4DC1065676
	for <freebsd-net@freebsd.org>; Wed,  1 Feb 2012 06:55:32 +0000 (UTC)
	(envelope-from eugen@grosbein.pp.ru)
Received: from eg.sd.rdtc.ru (unknown [IPv6:2a03:3100:c:13::5])
	by mx1.freebsd.org (Postfix) with ESMTP id B00EE8FC18
	for <freebsd-net@freebsd.org>; Wed,  1 Feb 2012 06:55:31 +0000 (UTC)
Received: from eg.sd.rdtc.ru (localhost [127.0.0.1])
	by eg.sd.rdtc.ru (8.14.5/8.14.5) with ESMTP id q116t3EB042495;
	Wed, 1 Feb 2012 13:55:03 +0700 (NOVT)
	(envelope-from eugen@grosbein.pp.ru)
Message-ID: <4F28E1C7.4060209@grosbein.pp.ru>
Date: Wed, 01 Feb 2012 13:55:03 +0700
From: Eugene Grosbein <eugen@grosbein.pp.ru>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU;
	rv:1.9.2.13) Gecko/20110112 Thunderbird/3.1.7
MIME-Version: 1.0
To: "Eric W. Bates" <ericx@ericx.net>
References: <4F28C168.9010206@ericx.net>
In-Reply-To: <4F28C168.9010206@ericx.net>
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: 8bit
Cc: freebsd-net@freebsd.org
Subject: Re: allowing gif thru ipfw
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2012 06:55:32 -0000

01.02.2012 11:36, Eric W. Bates пишет:
> Seems like a silly question; but how does one allow the packets 
> composing a gif tunnel thru ipfw?
> 
> I assumed a gif was made up of ipencap (IP proto 4) packets and added rules:
> 
> $fwcmd add 00140 allow ipencap from $he_tun to me
> $fwcmd add 00141 allow ipencap from me to $he_tun
> 
> ($he_tun is an Hurricane Electric provider); but neither of them are 
> hit; so that's wrong...
> 
> tcpdump -i em_vlan5 -nnvvs0 ip proto 4
> 
> doesn't show any packets either...

Try:

tcpdump -i em_vlan5 -nnvvs0 host $he_tun and not tcp and not udp and not icmp

Perhaps, you gif is encrypted with ipsec? That changes ip protocol numbers.

Eugene Grosbein