From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 06:59:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9034316A402; Wed, 28 Mar 2007 06:59:00 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx1.freebsd.org (Postfix) with ESMTP id 1E6AF13C4C3; Wed, 28 Mar 2007 06:58:59 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from mail3.siemens.de (localhost [127.0.0.1]) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id l2S6wwpN026302; Wed, 28 Mar 2007 08:58:58 +0200 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id l2S6wwqI009192; Wed, 28 Mar 2007 08:58:58 +0200 Received: (from localhost) by curry.mchp.siemens.de (8.13.8/8.13.8) id l2S6wwgv001580; Date: Wed, 28 Mar 2007 08:58:58 +0200 From: Andre Albsmeier To: Andrew Thompson Message-ID: <20070328065858.GA8788@curry.mchp.siemens.de> References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> <46071AAC.2020101@vwsoft.com> <20070326050747.GC68655@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070326050747.GC68655@heff.fud.org.nz> X-Echelon: X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Volker , Andre Albsmeier , freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 06:59:00 -0000 On Mon, 26-Mar-2007 at 17:07:47 +1200, Andrew Thompson wrote: > On Mon, Mar 26, 2007 at 02:58:20AM +0200, Volker wrote: > > Andrew, Andre & all, > > > > I've checked it out once more (with a corrected setup) and now have > > been able to block traffic on enc0 in both directions (no matter if > > the tunnel endpoint is final destination or not). > > Great. Thanks for looking into it anyway. Andrew, I can now confirm Volkers findings for non-GIF-based IPSec tunnels. On GIF-based setups only outgoing packets can be controlled in pf on enc0. I have filed a PR regarding this issue: http://www.freebsd.org/cgi/query-pr.cgi?pr=110959 Thanks to all for their help so far, -Andre