From owner-freebsd-questions@FreeBSD.ORG Sun Jan 9 00:24:09 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB45716A4CE for ; Sun, 9 Jan 2005 00:24:09 +0000 (GMT) Received: from blaster.systems.pipex.net (blaster.systems.pipex.net [62.241.163.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEC8943D1F for ; Sun, 9 Jan 2005 00:24:05 +0000 (GMT) (envelope-from lewiz@black.fajita.org) Received: from infidel.fajita.org (81-178-64-28.dsl.pipex.com [81.178.64.28]) by blaster.systems.pipex.net (Postfix) with ESMTP id CA054E0000E5 for ; Sun, 9 Jan 2005 00:24:02 +0000 (GMT) Received: from black.fajita.org ([192.168.0.20]) by infidel.fajita.org (8.13.1/8.13.1) with ESMTP id j090MSmC084405 for ; Sun, 9 Jan 2005 00:22:28 GMT (envelope-from lewiz@black.fajita.org) Received: from black.fajita.org (localhost [127.0.0.1]) by black.fajita.org (8.13.1/8.13.1) with ESMTP id j090Nt0R003966 for ; Sun, 9 Jan 2005 00:23:55 GMT (envelope-from lewiz@black.fajita.org) Received: (from lewiz@localhost) by black.fajita.org (8.13.1/8.13.1/Submit) id j090NttB003965 for questions@freebsd.org; Sun, 9 Jan 2005 00:23:55 GMT (envelope-from lewiz) Date: Sun, 9 Jan 2005 00:23:55 +0000 From: Lewis Thompson To: questions@freebsd.org Message-ID: <20050109002355.GA3882@black.fajita.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: Packet filtering with pf and gif tunnels. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jan 2005 00:24:09 -0000 Hi, I am wondering what sequence a packet goes through when it is passing through a gif tunnel. I have the following interface and gif tunnel (with the equivalent being on the same subnet at the other side): fxp0: a.a.a.a/24 gif0: a.a.a.a -> a.a.a.b (192.168.0.1/32 -> 192.168.0.2/32) My question is really what order does the packet go pass through my firewall (pf) in? i.e., is it: in on fxp0 from a.a.a.b to a.a.a.a (unencapsulated) in on gif0 from 192.168.0.2 to 192.168.0.1 or does it just magically ``appear'' on gif0 straight away? Now I write it out I am assuiming that it passes through pf twice (first on fxp0 and secondly on gif0); if this is in fact the case, what sensible rule might I add to allow this encapsulated traffic from a.a.a.b? Currently I have pf configured as follows: pass all pass quick proto icmp block in on fxp0 pass out on fxp0 keep state pass in on fxp0 proto tcp from any to fxp0 port 22 keep state The reason I ask this question is that for my tunnel endpoints to ping each other, a.a.a.a must be doing so (a.a.a.b has no firewall). Thank you, -Lewis Thompson. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:lewiz@fajita.org | jabber:lewiz@jabber.org | url:www.lewiz.org |-