From owner-freebsd-net@FreeBSD.ORG Tue Feb 10 20:52:24 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15989106566C for ; Tue, 10 Feb 2009 20:52:24 +0000 (UTC) (envelope-from ericx@vineyard.net) Received: from vineyard.net (k1.vineyard.net [204.17.195.90]) by mx1.freebsd.org (Postfix) with ESMTP id D933F8FC21 for ; Tue, 10 Feb 2009 20:52:23 +0000 (UTC) (envelope-from ericx@vineyard.net) Received: from localhost (loopback [127.0.0.1]) by vineyard.net (Postfix) with ESMTP id 0D7A991525; Tue, 10 Feb 2009 15:34:38 -0500 (EST) X-Virus-Scanned: by AMaViS-king1 at Vineyard.NET Received: from vineyard.net ([127.0.0.1]) by localhost (king1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 2YMqfFkQnP6w; Tue, 10 Feb 2009 15:34:37 -0500 (EST) Received: from [204.17.195.104] (fortiva.vineyard.net [204.17.195.104]) by vineyard.net (Postfix) with ESMTPA id B9C7791524; Tue, 10 Feb 2009 15:34:37 -0500 (EST) Message-ID: <4991E496.6080101@vineyard.net> Date: Tue, 10 Feb 2009 15:33:26 -0500 From: "Eric W. Bates" User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: using enc0 with ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2009 20:52:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have a working firewall with multiple esp tunnels. To this machine we want to add the ability to filter the emergent, decrypted packets. We are running 7.1-RELEASE-p2 Does filtering require both the IPSEC_FILTERTUNNEL and the enc device? Or are these 2 separate approaches to the same problem. We cannot get the firewall to "accept" decrypted packets in. With a ping running from tunneled network to tunneled network, tcpdump shows esp packets leaving the firewall. At the remote end tcpdump shows icmp echo requests and echo replies on the internal interface and it also shows bi-directional esp traffic on the external interface. However, on the originating firewall tcpdump shows none of the esp reply packets. All the firewall deny rules have logging enabled. Nothing appears in the log. So as far as we can tell ipfw is not blocking anything. enc0 has been ifconfig'ed "up"; and the enc sysctl flags have been set as suggested in enc(4). tcpdump on enc0 on the originating machine shows the icmp echo requests going out. ipfw has an explicit "allow ip from any to any" on enc0 which is not getting any hits. We have tried this both with and without enc and IPSEC_FILTERTUNNEL in all various permutations with basically the same results. If we recompile and remove both the enc device and the IPSEC_FILTERTUNNEL option, the tunnel works fine. Any thots? RTFM is a welcome suggestion; but none of the man pages really seem to cover this and we have had little luck with Google. Thank you for your time. - -- Eric W. Bates ericx@vineyard.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmR5JYACgkQD1roJTQ4LlGeMQCgmeEd0H5qVFqKtYl9XHSndR12 5LoAoIBTf3DlqKXh3aLId/8U81/uzPWA =NMIE -----END PGP SIGNATURE-----