Date: Mon, 17 Feb 2014 11:27:53 +0100 From: Maciej Milewski <milu@dat.pl> To: Philipp Schmid <philipp.schmid@openresearch.com>, freebsd-net@freebsd.org Subject: Re: IPSEC transport mode and PF NAT to VIMAGE Jail Message-ID: <5301E429.3080900@dat.pl> In-Reply-To: <37EFF023-E94C-4B81-BE73-B1833EF14C7C@openresearch.com> References: <37EFF023-E94C-4B81-BE73-B1833EF14C7C@openresearch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16.02.2014 15:47, Philipp Schmid wrote:
> Any idea how to get that working?
> For me it looks like if the packets arriving via IPsec are somehow passing the firewall and are not processed by pf.
> I can also connect to any port from the 10.0.1.111 client on 10.0.1.178, not just the ones I allowed in /etc/pf.conf
>
>
> Thank you, Philipp
set skip on /interface/
Skip /all/ PF processing on /interface/. This can be useful on
loopback interfaces where filtering, normalization, queueing, etc,
are not required. This option can be used multiple times. By default
this option is not set.
You have: set skip on bridge0
I think that you should fix this first.
--
Pozdrawiam,
Maciej Milewski
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5301E429.3080900>