From owner-freebsd-stable@FreeBSD.ORG  Mon Oct 30 17:41:49 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: stable@freebsd.org
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8E43016A416
	for <stable@freebsd.org>; Mon, 30 Oct 2006 17:41:49 +0000 (UTC)
	(envelope-from Stephen.Clark@seclark.us)
Received: from smtpout09-04.prod.mesa1.secureserver.net
	(smtpout09-04.prod.mesa1.secureserver.net [64.202.165.17])
	by mx1.FreeBSD.org (Postfix) with SMTP id A624143D7C
	for <stable@freebsd.org>; Mon, 30 Oct 2006 17:41:45 +0000 (GMT)
	(envelope-from Stephen.Clark@seclark.us)
Received: (qmail 18778 invoked from network); 30 Oct 2006 17:41:44 -0000
Received: from unknown (24.144.77.138)
	by smtpout09-04.prod.mesa1.secureserver.net (64.202.165.17) with ESMTP;
	30 Oct 2006 17:41:43 -0000
Message-ID: <45463954.9010201@seclark.us>
Date: Mon, 30 Oct 2006 12:41:40 -0500
From: Stephen Clark <Stephen.Clark@seclark.us>
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22smp i686; en-US;
	m18) Gecko/20010110 Netscape6/6.5
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: stable@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Strange problem with ipfilter
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Stephen.Clark@seclark.us
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2006 17:41:49 -0000

Hello List,

We are having a strange problem with RELENG_6_1 and ipfilter 4.1.8.

We are running gre tunnels over fast_ipsec tunnels. We have the following
rule in ipf:
pass out proto icmp from any to any keep state

When we ping from the remote end across the ipsec tunnel to the ipsec 
local endpoint
address it works fine.

When we ping the local gre endpoint from the remote end ipf blocks the 
icmp-reply.

This works with 4.9 and ipfilter 3.4.31.

We can work around this by disabling the ipf rule - but is anyone
else experiencing problems with ipfilter 4.1.8?

Thanks,
Steve

-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)