GRE and PF problem
Giovanni P. Tirloni
gpt at tirloni.org
Thu Jul 14 12:51:52 GMT 2005
Alex Povolotsky wrote:
> compunction wrote:
>
>> GRE needs to pass bidirectional. You will need a binat to make it
>> work. I have not found a firewall that will allow GRE to work with a
>> many to one nat.
>>
>>
>
> The most painful thing is that pf's nat works for GRE - SOMETIMES :-(
>
> The only thing firewall needs to implement for natting GRE is creation
> of two rules (forward and back) for GRE packet, just like it does for ICMP.
>
> I'm not a firewall writer, but as far as I understand general procedural
> programming, it cannot be THAT complicated.
When a packet comes from 1.2.3.4 to your external interface you can't
determine if it's destined to 192.168.0.1 or 192.168.0.2 if both
initiated a GRE tunnel to 1.2.3.4. That's because GRE doesn't have ports
like UDP or TCP to make (de)multiplexing possible, AFAIK.
http://www.networksorcery.com/enp/protocol/gre.htm
--
Giovanni P. Tirloni / gpt at tirloni.org / PGP: 0xD0315C26
More information about the freebsd-net
mailing list