Date: Mon, 05 Mar 2007 14:46:41 +0100 From: Volker Werth <vwerth@vwsoft.com> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-pf@freebsd.org Subject: Re: Re: Tracing packets passing through PF Message-ID: <45EC1F41.2060202@vwsoft.com> In-Reply-To: <45EBE118.1010602@tomjudge.com> References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> <45E81AC3.5020304@tomjudge.com> <003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net> <45EBE118.1010602@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms020103030504010201030201 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 12/23/-58 20:59, Tom Judge wrote: > The packet is not getting filtered it leaves the host and passes on the > wire to the default gateway. There are no issues with the traffic being > filtered by the originating hosts firewall, the problem is that the ESP > packets next hop is not being modified by the source routing rule and is > therefore being sent to the incorrect gateway, where the ISP filters the > packet. It is only the ESP traffic that fails to be routed correctly, > all other traffic is fine. It is almost as if the ESP packet never > enters PF and is transmitted straight out onto the network, hence me > starting this thread about being able to trace the packet through the > stack. > > Tom Tom, could you describe a bit more in detail what you're doing with IPSec and what you're trying to do using pf? I've not followed the whole thread as I've had no time to read email over the weekend. If you already posted all infos, please forgive me and point me to that message. I've done a lot of work with IPSec (+ipsec_tools, racoon2 etc.) and have also seen strange behaviour of ESP data not passing the firewall. Are you using IPSEC or FAST_IPSEC? Are you using GIF tunnels? Are you using ENC? Could you please give us your routing table (partially)? Thanks, Volker --------------ms020103030504010201030201 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFaDCC ArAwggIZoAMCAQICAQowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEVMBMGA1UEChMMaXBhY3RpdmUgR2JSMRQwEgYD VQQLEwtpcGFjdGl2ZSBDQTEUMBIGA1UEAxMLaXBhY3RpdmUgQ0ExHjAcBgkqhkiG9w0BCQEW D25pY0BpcGFjdGl2ZS5kZTAeFw0wNDEyMjAxMzU4MzBaFw0xNDEyMTgxMzU4MzBaMDkxFTAT BgNVBAMTDFZvbGtlciBXZXJ0aDEgMB4GCSqGSIb3DQEJARYRdm9sa2VyQHZ3c29mdC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKu82QnprFsHMmIi9wwoM8q365C5ue4gAGYu KeT36Pro/fwR9tHQ60OnYGWPy1J2m7XHtQ08ZgxhqDXlpBM7jW996i5jKNWEb2KZQiJAoTyF Px4vHkvom6QDq5jE7TvmUlc78qnwVN5Ik5pCyogDoj1J6O0R+1NAFQAxXr6OI52TAgMBAAGj bjBsMBwGA1UdEQQVMBOBEXZvbGtlckB2d3NvZnQuY29tMAwGA1UdEwEB/wQCMAAwHwYDVR0j BBgwFoAUQH2+rQy8vJf6Vm4vxyVQMYeoKdYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMEMA0GCSqGSIb3DQEBBAUAA4GBADWUd++2DHePzHGBHu+zpbrykdc9c6JpXKbv2y8PzoHV G2VEf7XD13fgQvp/vmOqoMfRlqFemJQ7bXXl8g6BZSQ/xC9lLnPiBHMuwQ0JeIdP2DX1W471 tLPJERYvizlWGsyD+WXI6mQQVrKZWb3Qe++plK4ktXP9noaarOwUrD9kMIICsDCCAhmgAwIB AgIBCjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEP MA0GA1UEBxMGQmVybGluMRUwEwYDVQQKEwxpcGFjdGl2ZSBHYlIxFDASBgNVBAsTC2lwYWN0 aXZlIENBMRQwEgYDVQQDEwtpcGFjdGl2ZSBDQTEeMBwGCSqGSIb3DQEJARYPbmljQGlwYWN0 aXZlLmRlMB4XDTA0MTIyMDEzNTgzMFoXDTE0MTIxODEzNTgzMFowOTEVMBMGA1UEAxMMVm9s a2VyIFdlcnRoMSAwHgYJKoZIhvcNAQkBFhF2b2xrZXJAdndzb2Z0LmNvbTCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAq7zZCemsWwcyYiL3DCgzyrfrkLm57iAAZi4p5Pfo+uj9/BH2 0dDrQ6dgZY/LUnabtce1DTxmDGGoNeWkEzuNb33qLmMo1YRvYplCIkChPIU/Hi8eS+ibpAOr mMTtO+ZSVzvyqfBU3kiTmkLKiAOiPUno7RH7U0AVADFevo4jnZMCAwEAAaNuMGwwHAYDVR0R BBUwE4ERdm9sa2VyQHZ3c29mdC5jb20wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRAfb6t DLy8l/pWbi/HJVAxh6gp1jAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI hvcNAQEEBQADgYEANZR377YMd4/McYEe77OluvKR1z1zomlcpu/bLw/OgdUbZUR/tcPXd+BC +n++Y6qgx9GWoV6YlDttdeXyDoFlJD/EL2Uuc+IEcy7BDQl4h0/YNfVbjvW0s8kRFi+LOVYa zIP5ZcjqZBBWsplZvdB776mUriS1c/2ehpqs7BSsP2QxggNOMIIDSgIBATCBmDCBkjELMAkG A1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRUwEwYDVQQKEwxp cGFjdGl2ZSBHYlIxFDASBgNVBAsTC2lwYWN0aXZlIENBMRQwEgYDVQQDEwtpcGFjdGl2ZSBD QTEeMBwGCSqGSIb3DQEJARYPbmljQGlwYWN0aXZlLmRlAgEKMAkGBSsOAwIaBQCgggILMBgG CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDMwNTEzNDY0MVow IwYJKoZIhvcNAQkEMRYEFPpQ98EQsYb+qUC188OKEDMTe+aBMFIGCSqGSIb3DQEJDzFFMEMw CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G CCqGSIb3DQMCAgEoMIGpBgkrBgEEAYI3EAQxgZswgZgwgZIxCzAJBgNVBAYTAkRFMQ8wDQYD VQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEVMBMGA1UEChMMaXBhY3RpdmUgR2JSMRQw EgYDVQQLEwtpcGFjdGl2ZSBDQTEUMBIGA1UEAxMLaXBhY3RpdmUgQ0ExHjAcBgkqhkiG9w0B CQEWD25pY0BpcGFjdGl2ZS5kZQIBCjCBqwYLKoZIhvcNAQkQAgsxgZuggZgwgZIxCzAJBgNV BAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEVMBMGA1UEChMMaXBh Y3RpdmUgR2JSMRQwEgYDVQQLEwtpcGFjdGl2ZSBDQTEUMBIGA1UEAxMLaXBhY3RpdmUgQ0Ex HjAcBgkqhkiG9w0BCQEWD25pY0BpcGFjdGl2ZS5kZQIBCjANBgkqhkiG9w0BAQEFAASBgJFW YiVW9deONYRUo7gBWOhjKwisCbh+lX/nbcqG4NUMaSqBl0+PR8M2VuoHII3XmgpMQt26jJFc 0zFfObYyIv45flxu9VSVFA4LViGuGI3ECSrpVD82rI9z2mECG23qOlt8My9FUbNgJihjVaPI ZLzPaySOSBVe7ONH8NYGFiXgAAAAAAAA --------------ms020103030504010201030201--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45EC1F41.2060202>