From owner-freebsd-pf@FreeBSD.ORG Sat Mar 24 19:12:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 575E416A40B for ; Sat, 24 Mar 2007 19:12:02 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.freebsd.org (Postfix) with ESMTP id E686413C489 for ; Sat, 24 Mar 2007 19:12:01 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id 0DFA01CC58; Sun, 25 Mar 2007 06:59:28 +1200 (NZST) Date: Sun, 25 Mar 2007 06:59:28 +1200 From: Andrew Thompson To: Volker Message-ID: <20070324185928.GC45070@heff.fud.org.nz> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46052572.9070402@vwsoft.com> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2007 19:12:02 -0000 On Sat, Mar 24, 2007 at 02:19:46PM +0100, Volker wrote: > Andre, > > On 12/23/-58 20:59, Andre Albsmeier wrote: > > [Retrying on -pf...] > > > > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.) > > > > Just to make things clear: IPSEC works (as it did for years), I'm > > just not able to control the incoming packets with enc0 in pf. > > On the other side, I've played with device enc a few weeks ago and > was asking for clarification on net@ but didn't get any reply. > > What's really strange is packets coming through an IPSec tunnel can > be seen by pf on device enc but packets are still passing through > even if device enc0 is down. The code does check if the interface is running but if its not then just passes the packet through unhindered. Do you think it should behave like you describe where the packets are dropped? See line 204, change the check to this if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) { m_freem(*mp); return (-1); } > So from my experience device enc currently is a bit strange in > behavior (at least on -STABLE). Also AFAIR I haven't been able to > block packets on device enc0 using pf. I suspect device enc is > currently a bit of a hack and currently probably only useful for > packet / connection logging but not for real firewalling. You might > check out if you're able to block anything on enc0 (my memories > might be wrong) and play with it a bit. This should work as you say and if its not then thats a bug. Can you log the packets with pflog to check they are being blocked. Andrew