6.2-STABLE: enc0 sees only outgoing packets in pf
volker at vwsoft.com
Sat Mar 24 13:20:22 UTC 2007
On 12/23/-58 20:59, Andre Albsmeier wrote:
> [Retrying on -pf...]
> (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.)
> Yesterday I started to play around with enc0 in pf. I hoped I
> could now control IPSEC traffic in the standard way with pf rules
> but it seems that only outgoing packets hit enc0. I added a
> pass quick log on enc0 all
Do you really use that rule? If you're using a 'keep state' option
this would give the behavior you're experiencing.
> on top of all pf rules. When sending a single ping packet to
> the remote side everything works but the only thing I see is
> Mar 18 10:20:11 <local0.warn> gate pflogd: @0 pass out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (echo)
> (192.168.164.81 is my local gif0 address and 10.0.1.32 the remote).
> However, when running a tcpdump on enc0 we see the answer as well:
> listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 1550 bytes
> 10:20:11.475041 (authentic,confidential): SPI 0x50521518: IP A.B.C.D > E.F.G.H: IP 192.168.164.81 > 10.0.1.32: ICMP echo request, id 3631, seq 0, length 64 (ipip-proto-4)
> 10:20:11.560430 (authentic,confidential): SPI 0x0cf2344e: IP E.F.G.H > A.B.C.D: IP 10.0.1.32 > 192.168.164.81: ICMP echo reply, id 3631, seq 0, length 64 (ipip-proto-4)
> (A.B.C.D is my local gif0 tunnel endpoint and E.F.G.H the remote).
> Just to make things clear: IPSEC works (as it did for years), I'm
> just not able to control the incoming packets with enc0 in pf.
Not really what you're asking for but... I think you won't like to
see _every_ packet in the firewall logs. Instead you really want to
see the first packet which will initiate a session and have pf keep
state of it.
On the other side, I've played with device enc a few weeks ago and
was asking for clarification on net@ but didn't get any reply.
What's really strange is packets coming through an IPSec tunnel can
be seen by pf on device enc but packets are still passing through
even if device enc0 is down.
So from my experience device enc currently is a bit strange in
behavior (at least on -STABLE). Also AFAIR I haven't been able to
block packets on device enc0 using pf. I suspect device enc is
currently a bit of a hack and currently probably only useful for
packet / connection logging but not for real firewalling. You might
check out if you're able to block anything on enc0 (my memories
might be wrong) and play with it a bit.
I suspect packets do not really pass device enc but are getting
duplicated to enc while being processed by IPSec.
More information about the freebsd-pf