Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 26 Mar 2007 08:47:07 +0200
From:      Andre Albsmeier <Andre.Albsmeier@siemens.com>
To:        Volker <volker@vwsoft.com>
Cc:        Andre Albsmeier <Andre.Albsmeier@siemens.com>, Andrew Thompson <thompsa@freebsd.org>, freebsd-pf@freebsd.org
Subject:   Re: 6.2-STABLE: enc0 sees only outgoing packets in pf
Message-ID:  <20070326064707.GA83792@curry.mchp.siemens.de>
In-Reply-To: <46071AAC.2020101@vwsoft.com>
References:  <20070323115043.GA6991@curry.mchp.siemens.de> <46052572.9070402@vwsoft.com> <20070324185928.GC45070@heff.fud.org.nz> <46071AAC.2020101@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Mon, 26-Mar-2007 at 02:58:20 +0200, Volker wrote:
> Andrew, Andre & all,
> 
> I've checked it out once more (with a corrected setup) and now have
> been able to block traffic on enc0 in both directions (no matter if
> the tunnel endpoint is final destination or not).

Does that mean that a rule

block in log quick on enc0

on top of all rules actually blocks anything (assuming you don't
have another state-keeping outgoing rule for enc0)?

	-Andre

> 
> Sorry for my first false posting.
> 
> In this test case both machines (tunnel endpoints) are:
> 
> FreeBSD ... 6.2-RELEASE-p1 FreeBSD 6.2-RELEASE-p1 #0: Sun Feb 11
> 22:35:18 CET 2007     root@...:/usr/obj/usr/src/sys/GwMbg  i386
> 
> One machine is using racoon (ipsec-tools), the other is using racoon2.
> 
> `ifconfig enc0':
> enc0: flags=41<UP,RUNNING> mtu 1536
> 
> relevant kernconf parts:
> options         FAST_IPSEC
> device          random
> device          enc
> device          crypto
> 
> Andre:
> 
> If you still have trouble getting IPSec + enc0 + pf to work, please
> post me a private message. I know it's hard to find someone who has
> a working IPSec setup and is willing to help.
> 
> At least my test setup shows it is not just possible to block
> traffic on device enc0 using pf, but to see all traffic in the pf
> logs (if being configured to do so).
> 
> Probably you're willing to show us your pf rules to have a look at it?
> 
> Have pfun! ;)
> 
> Volker

-- 
Jeder Projektmanager, der glaubt, Projekte zu managen, der
glaubt auch, dass Zitronenfalter Zitronen falten.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070326064707.GA83792>