From owner-freebsd-pf@FreeBSD.ORG  Mon Mar  5 09:25:12 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DC2CD16A400
	for <freebsd-pf@freebsd.org>; Mon,  5 Mar 2007 09:25:12 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: from s200aog12.obsmtp.com (s200aog12.obsmtp.com [207.126.144.126])
	by mx1.freebsd.org (Postfix) with SMTP id 58DAD13C474
	for <freebsd-pf@freebsd.org>; Mon,  5 Mar 2007 09:25:06 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: from source ([217.206.187.80]) by eu1sys200aob012.postini.com
	([207.126.147.11]) with SMTP; Mon, 05 Mar 2007 09:25:05 UTC
Received: from [10.0.0.79] (bwb.mintel.co.uk [10.0.0.79])
	by rodney.mintel.co.uk (Postfix) with ESMTP id 9C017181439;
	Mon,  5 Mar 2007 09:25:04 +0000 (GMT)
Message-ID: <45EBE118.1010602@tomjudge.com>
Date: Mon, 05 Mar 2007 09:21:28 +0000
From: Tom Judge <tom@tomjudge.com>
User-Agent: Thunderbird 1.5.0.9 (X11/20070104)
MIME-Version: 1.0
To: Greg Hennessy <Greg.Hennessy@nviz.net>
References: <45E75454.2060302@tomjudge.com>	<000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net>	<45E7F00B.6010306@tomjudge.com>	<001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net>
	<45E81AC3.5020304@tomjudge.com>
	<003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net>
In-Reply-To: <003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
Subject: Re: Tracing packets passing through PF
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2007 09:25:13 -0000

Greg Hennessy wrote:
>> I have the following rules on lo0:
>>
> 
> Have you tried an set skip with a default block log all ?
> 
> 
> Greg
> 
> 

The packet is not getting filtered it leaves the host and passes on the 
wire to the default gateway.  There are no issues with the traffic being 
filtered by the originating hosts firewall, the problem is that the ESP 
packets next hop is not being modified by the source routing rule and is 
therefore being sent to the incorrect gateway, where the ISP filters the 
packet.  It is only the ESP traffic that fails to be routed correctly, 
all other traffic is fine. It is almost as if the ESP packet never 
enters PF and is transmitted straight out onto the network,  hence me 
starting this thread about being able to trace the packet through the stack.

Tom