pf not seeing inbound packets on netgraph interface
Melissa Jenkins
melissa-freebsd at littlebluecar.co.uk
Fri Jan 6 13:26:31 UTC 2012
>
> On Jan 4, 2012, at 12:03 AM, Ermal Luçi wrote:
>
>> Can you see if on the enc(4) interface pf(4) sees both side of the traffic?
>
> I can on enc0. Doing a tcpdump(1) shows me traffic traveling both ways. Should there be a pf(4) interface for me to listen on? I've listened on pflog(4), and only seen traffic going one way, even when I have relevant rules set to "log(all)"
>
I had this problem when trying to firewall/NAT traffic from MPD - it appeared that MPD inserts the packets directly into the middle of the packet flow, without triggering any inbound processing by PF.
IPsec does this correctly if you have set the sysctls as per the man page on enc, as does PopTop and ppp (which was my solution to the MPD issue)
It didn't matter what firewall rules were configured, and this behaviour was present in the 7 branch as well as 8.
Mel
More information about the freebsd-net
mailing list