From owner-freebsd-pf@FreeBSD.ORG Sat Mar 24 19:35:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A48E616A402 for ; Sat, 24 Mar 2007 19:35:53 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 3E7B913C4AD for ; Sat, 24 Mar 2007 19:35:53 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d44.q.ppp-pool.de [89.53.125.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 82CAB12883F; Sat, 24 Mar 2007 20:35:45 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 52A69455E1; Sat, 24 Mar 2007 20:35:37 +0100 (CET) Message-ID: <46057D88.4070305@vwsoft.com> Date: Sat, 24 Mar 2007 20:35:36 +0100 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Andrew Thompson References: <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> In-Reply-To: <20070324185928.GC45070@heff.fud.org.nz> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: 6.2-STABLE: enc0 sees only outgoing packets in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2007 19:35:53 -0000 Andrew, On 03/24/07 19:59, Andrew Thompson wrote: >> What's really strange is packets coming through an IPSec tunnel can >> be seen by pf on device enc but packets are still passing through >> even if device enc0 is down. > > The code does check if the interface is running but if its not then just > passes the packet through unhindered. Do you think it should behave like > you describe where the packets are dropped? IMHO this is ok but it should be documented at least on enc(4). A short note like "if the device is down packets are still passing the firewall unfiltered" or the like would help. Also the following (from enc(4)): "The enc interface allows an administrator to see outgoing packets..." lead me to the assumption enc is only of use for "seeing" traffic but not of any use for filtering. > > See line 204, change the check to this > if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) { > m_freem(*mp); > return (-1); > } > >> So from my experience device enc currently is a bit strange in >> behavior (at least on -STABLE). Also AFAIR I haven't been able to >> block packets on device enc0 using pf. I suspect device enc is >> currently a bit of a hack and currently probably only useful for >> packet / connection logging but not for real firewalling. You might >> check out if you're able to block anything on enc0 (my memories >> might be wrong) and play with it a bit. > > This should work as you say and if its not then thats a bug. Can you log > the packets with pflog to check they are being blocked. Will try to do so but first I have to solve another issue with filesystem first. I'll setup some experimental rules and see if I'm able to block traffic on enc0. Please stay tuned. Greetings, Volker