6.2-STABLE: enc0 sees only outgoing packets in pf
Andre Albsmeier
Andre.Albsmeier at siemens.com
Fri Mar 23 12:09:23 UTC 2007
[Retrying on -pf...]
(This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.)
Yesterday I started to play around with enc0 in pf. I hoped I
could now control IPSEC traffic in the standard way with pf rules
but it seems that only outgoing packets hit enc0. I added a
pass quick log on enc0 all
on top of all pf rules. When sending a single ping packet to
the remote side everything works but the only thing I see is
Mar 18 10:20:11 <local0.warn> gate pflogd: @0 pass out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (echo)
(192.168.164.81 is my local gif0 address and 10.0.1.32 the remote).
However, when running a tcpdump on enc0 we see the answer as well:
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 1550 bytes
10:20:11.475041 (authentic,confidential): SPI 0x50521518: IP A.B.C.D > E.F.G.H: IP 192.168.164.81 > 10.0.1.32: ICMP echo request, id 3631, seq 0, length 64 (ipip-proto-4)
10:20:11.560430 (authentic,confidential): SPI 0x0cf2344e: IP E.F.G.H > A.B.C.D: IP 10.0.1.32 > 192.168.164.81: ICMP echo reply, id 3631, seq 0, length 64 (ipip-proto-4)
(A.B.C.D is my local gif0 tunnel endpoint and E.F.G.H the remote).
Just to make things clear: IPSEC works (as it did for years), I'm
just not able to control the incoming packets with enc0 in pf.
Any ideas? Thanks,
-Andre
More information about the freebsd-pf
mailing list