From owner-freebsd-stable Thu Nov 14 19:58:11 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04E3B37B401 for ; Thu, 14 Nov 2002 19:58:10 -0800 (PST) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4691D43E3B for ; Thu, 14 Nov 2002 19:58:09 -0800 (PST) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.6/8.12.6) with ESMTP id gAF3vwgx001886 for ; Thu, 14 Nov 2002 21:57:58 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.6/8.12.6/Submit) id gAF3vvsn001885 for FreeBSD-stable@FreeBSD.org; Thu, 14 Nov 2002 21:57:57 -0600 (CST) Content-Type: text/plain; charset="us-ascii" From: David Kelly To: FreeBSD-stable@FreeBSD.org Subject: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Date: Thu, 14 Nov 2002 21:57:57 -0600 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200211142157.57459.dkelly@HiWAAY.net> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ran cvsup this morning (11/14/2002), built world, installed world, built and installed new kernel, forgot mergemaster, rebooted, and my VPN to another FreeBSD box was not working. Did not update the other box. Discovered I had not done mergemaster on the problem box so did that and rebooted again. Still have the same problem. What I have found is packets that are supposed to be on fxp0 are being killed by ipfw for appearing on fxp1 by this rule. fxp1 is my exteral NIC connected to the ISP: 00600 14 1122 deny ip from any to 10.0.0.0/8 via fxp1 But if I add this rule in front of the above (so I don't have to retype the above to add it back) then all is working as it once did: 00550 2 168 allow ip from 192.168.100.0/24 to 10.0.0.0/24 in recv fxp1 The above are prior to my divert rule. Much later in my ruleset (after divert to natd) I was allowing these packets via fxp0, the internal interface. Some are still going that way. The distant end is still 4.6-STABLE and shares practically the same ipfw ruleset and everything. Rule 600 doesn't cause a problem there. Wasn't a problem before the latest update for 4.7-stable. No doubt I'm lost as to how IPsec packets traverse thru these layers. When setting the system up was surprised to find nothing came thru gif0. At least nothing ipfw sees. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message