From owner-freebsd-net@FreeBSD.ORG  Mon Feb 17 10:33:54 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C3DDD28A
 for <freebsd-net@freebsd.org>; Mon, 17 Feb 2014 10:33:54 +0000 (UTC)
Received: from man.dat.pl (dat.pl [80.51.155.34])
 by mx1.freebsd.org (Postfix) with ESMTP id 7D3221DBA
 for <freebsd-net@freebsd.org>; Mon, 17 Feb 2014 10:33:54 +0000 (UTC)
Received: from man.dat.pl (localhost [127.0.0.1])
 by man.dat.pl (Postfix) with ESMTP id 6867ECF1DAA;
 Mon, 17 Feb 2014 11:27:57 +0100 (CET)
X-Virus-Scanned: amavisd-new at dat.pl
Received: from man.dat.pl ([127.0.0.1])
 by man.dat.pl (man.dat.pl [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id pd6GsIQkZV6l; Mon, 17 Feb 2014 11:27:55 +0100 (CET)
Received: from [10.0.6.81] (unknown [212.69.68.42])
 (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested)
 by man.dat.pl (Postfix) with ESMTPSA id AC6ECCEF68E;
 Mon, 17 Feb 2014 11:27:54 +0100 (CET)
Message-ID: <5301E429.3080900@dat.pl>
Date: Mon, 17 Feb 2014 11:27:53 +0100
From: Maciej Milewski <milu@dat.pl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Philipp Schmid <philipp.schmid@openresearch.com>, freebsd-net@freebsd.org
Subject: Re: IPSEC transport mode and PF NAT to VIMAGE Jail
References: <37EFF023-E94C-4B81-BE73-B1833EF14C7C@openresearch.com>
In-Reply-To: <37EFF023-E94C-4B81-BE73-B1833EF14C7C@openresearch.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2014 10:33:54 -0000

On 16.02.2014 15:47, Philipp Schmid wrote:
> Any idea how to get that working?
> For me it looks like if the packets arriving via IPsec are somehow passing the firewall and are not processed by pf.
> I can also connect to any port from the 10.0.1.111 client on 10.0.1.178, not just the ones I allowed in /etc/pf.conf
>
>
> Thank you, Philipp

set skip on /interface/
    Skip /all/ PF processing on /interface/. This can be useful on
    loopback interfaces where filtering, normalization, queueing, etc,
    are not required. This option can be used multiple times. By default
    this option is not set. 

You have: set skip on bridge0

I think that you should fix this first.

-- 
Pozdrawiam,
Maciej Milewski