Tracing packets passing through PF
Volker Werth
vwerth at vwsoft.com
Mon Mar 5 14:18:58 UTC 2007
On 12/23/-58 20:59, Tom Judge wrote:
> The packet is not getting filtered it leaves the host and passes on the
> wire to the default gateway. There are no issues with the traffic being
> filtered by the originating hosts firewall, the problem is that the ESP
> packets next hop is not being modified by the source routing rule and is
> therefore being sent to the incorrect gateway, where the ISP filters the
> packet. It is only the ESP traffic that fails to be routed correctly,
> all other traffic is fine. It is almost as if the ESP packet never
> enters PF and is transmitted straight out onto the network, hence me
> starting this thread about being able to trace the packet through the
> stack.
>
> Tom
Tom,
could you describe a bit more in detail what you're doing with IPSec
and what you're trying to do using pf? I've not followed the whole
thread as I've had no time to read email over the weekend. If you
already posted all infos, please forgive me and point me to that
message.
I've done a lot of work with IPSec (+ipsec_tools, racoon2 etc.) and
have also seen strange behaviour of ESP data not passing the firewall.
Are you using IPSEC or FAST_IPSEC? Are you using GIF tunnels? Are
you using ENC? Could you please give us your routing table (partially)?
Thanks,
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2292 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070305/224d3622/smime.bin
More information about the freebsd-pf
mailing list