Date: Sun, 9 Jan 2005 00:23:55 +0000 From: Lewis Thompson <lewiz@fajita.org> To: questions@freebsd.org Subject: Packet filtering with pf and gif tunnels. Message-ID: <20050109002355.GA3882@black.fajita.org>
next in thread | raw e-mail | index | archive | help
Hi, I am wondering what sequence a packet goes through when it is passing through a gif tunnel. I have the following interface and gif tunnel (with the equivalent being on the same subnet at the other side): fxp0: a.a.a.a/24 gif0: a.a.a.a -> a.a.a.b (192.168.0.1/32 -> 192.168.0.2/32) My question is really what order does the packet go pass through my firewall (pf) in? i.e., is it: in on fxp0 from a.a.a.b to a.a.a.a (unencapsulated) in on gif0 from 192.168.0.2 to 192.168.0.1 or does it just magically ``appear'' on gif0 straight away? Now I write it out I am assuiming that it passes through pf twice (first on fxp0 and secondly on gif0); if this is in fact the case, what sensible rule might I add to allow this encapsulated traffic from a.a.a.b? Currently I have pf configured as follows: pass all pass quick proto icmp block in on fxp0 pass out on fxp0 keep state pass in on fxp0 proto tcp from any to fxp0 port 22 keep state The reason I ask this question is that for my tunnel endpoints to ping each other, a.a.a.a must be doing so (a.a.a.b has no firewall). Thank you, -Lewis Thompson. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:lewiz@fajita.org | jabber:lewiz@jabber.org | url:www.lewiz.org |-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050109002355.GA3882>