From owner-freebsd-questions@FreeBSD.ORG Sun Dec 10 08:47:05 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 776A516A407 for ; Sun, 10 Dec 2006 08:47:05 +0000 (UTC) (envelope-from and3co@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id C94DC43CA0 for ; Sun, 10 Dec 2006 08:45:55 +0000 (GMT) (envelope-from and3co@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1153282wxc for ; Sun, 10 Dec 2006 00:47:04 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:x-google-sender-auth; b=jnyqX2mh9DR4KcOGQ/HV/D3us5v27F70bkKhKyh8RNKtCHjxO7xsurmWI5fw39+PGPzkJA78WmMWEwNNv1gdmTW3fDUNo7Hke9tSgVDvzz/E1yOoN7MLqAGdxv+JwOpQj5lFR2/7WwPGIHyUicuMlP1RkfYGQQo31toEpUe1R40= Received: by 10.70.47.19 with SMTP id u19mr9761445wxu.1165740424139; Sun, 10 Dec 2006 00:47:04 -0800 (PST) Received: by 10.70.95.17 with HTTP; Sun, 10 Dec 2006 00:47:04 -0800 (PST) Message-ID: <155cea990612100047l40a0f181m3d81d20da89183fe@mail.gmail.com> Date: Sun, 10 Dec 2006 09:47:04 +0100 From: "=?ISO-8859-1?Q?Andrik=F3_Tam=E1s?=" Sender: and3co@gmail.com To: freebsd-questions@freebsd.org MIME-Version: 1.0 X-Google-Sender-Auth: 1bc3ad979a26bf64 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: packet processing order X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2006 08:47:05 -0000 Hi list, I wanted to set up a IPSec VPN Tunnel on one of my FreeBSD box. I'm using pf for accomplish firewall. To implement almost the whole task of VPN wasn't a big deal, but I get some trouble adjusting pf.conf. I think I don't understand exactly how the network packet are processed, especially the order of processing of packets. Somehow the tunneled packets don't even get into the gif interface from my local lan. My guess is the following: the packet enter one of the interfaces => apply the incoming pf rules on the appropriate interface (last match win) nat-ing, redirect-ing the packets => apply rdr and nat rules (first match win) routing the packet (ip.forward=1) => if the packet destination cannot be routed drop or dest unreachable putting out the packet (based on routing decision) => apply the outgoing rules on the appropriate interface(last match win) Please correct me if I wrong, and if you could point me to a good tutorial that would be best. (other than http://www.openbsd.org/faq/pf/) Thanks for your help Tom