From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 12:05:57 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71BE316A41F for ; Tue, 25 Oct 2005 12:05:57 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from corwin.easynet.fr (smarthost168.mail.easynet.fr [212.180.1.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8247943D7F for ; Tue, 25 Oct 2005 12:05:42 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by corwin.easynet.fr with esmtp (Exim 4.50) id 1EUNYi-0002DC-O0 for freebsd-pf@freebsd.org; Tue, 25 Oct 2005 14:05:40 +0200 Received: from localhost.localdomain (spartacus.zen.inc [192.168.1.20]) by smtp.zeninc.net (smtpd) with ESMTP id 9FEF93F17 for ; Tue, 25 Oct 2005 14:05:39 +0200 (CEST) Received: by localhost.localdomain (Postfix, from userid 1000) id 8285C85609; Tue, 25 Oct 2005 14:05:39 +0200 (CEST) Date: Tue, 25 Oct 2005 14:05:39 +0200 From: VANHULLEBUS Yvan To: freebsd-pf@freebsd.org Message-ID: <20051025120539.GA2761@zeninc.net> References: <20051025095745.GA2581@zeninc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Subject: Re: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 12:05:57 -0000 On Tue, Oct 25, 2005 at 06:16:22AM -0500, Travis H. wrote: > I think you have to set up filtering on the external interface for UDP > port 500 (for the ISAKMP) and IP protocols 50 and 51 (proto esp and > proto ah, in pf.conf syntax). Yes, thanks, I know that :-) And, to be axact, I'll have to allow UDP 500/4500, as I'm using NAT-T (subliminal message: kernel patch still not included in FreeBSD...). > Then, the decrypted version appears on enc0, so you can match the > decapsulated stuff. That's the problem: enc0 doesn't seems to exists, at least on my FreeBSD6 gate (perhaps I missed something in the configuration, or perhaps this is not a "real" interface ?) !!! Such an interface would be very useful, for filtering IPSec traffic, and also to be able to dump traffic from/to IPSec peers, and would be, imho, the best solution (and would not be pf specific), but at least "some option" in the pf syntax would be interesting to be able to match traffic which come from an IPSec tunnel... Yvan.