Date: Mon, 20 Mar 2017 15:08:33 +0100 From: "Marin Bernard" <lists@olivarim.com> To: lists@olivarim.com, freebsd-pf@freebsd.org Subject: Re: Support for the enc(4) pseudo-interface Message-ID: <1490018913-f1619c15ef073d0f123d2a0940047986@olivarim.com>
next in thread | raw e-mail | index | archive | help
Sorry for the noise: the webmail ate my message. Here is the full version: Hi all, I set up IPsec between several FreeBSD 11-RELEASE hosts. IKEv2 is managed by= =20 security/openiked. I use pf to filter the traffic, and the rulesets include several references= =20 to the enc0 pseudo-interface, which allow inbound traffic filtering=20 *after* IPsec decryption. So far, the whole configuration works fine. I noticed that the enc0 pseudo-interface was not shown in the output of the= =20 `ifconfig` command, whereas it is on OpenBSD. AFAIK, the GENERIC kernel=20 does not include the enc pseudo-device, since I could not fine a "device=20 enc" line in the kernel config file. The lack of such adevice would=20 explain why it is not manageable as a network interface, and why =A0 `ifconfig enc0 create` fails. Yet, it appears that pf is able to handle references to enc(4) in its ruleset= =20 even if the kernel does not support it. Is it expected behaviour? Is it=20 safe to use such a configuration on a production machine ? Thanks, Marin. 20 mars 2017 14:20 "Marin Bernard" a =E9crit: > Hi all,=20 > =20 > I've just set up IPsec between two FreeBSD 11-RELEASE hosts with=A0securit= y/openiked.=20 > =20 > =20 > _______________________________________________=20 > freebsd-pf@freebsd.org mailing list=20 > https://lists.freebsd.org/mailman/listinfo/freebsd-pf=20 > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"=20 > =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1490018913-f1619c15ef073d0f123d2a0940047986>