6.2-STABLE: enc0 sees only outgoing packets in pf
Volker
volker at vwsoft.com
Mon Mar 26 12:40:09 UTC 2007
On 03/26/07 08:47, Andre Albsmeier wrote:
> On Mon, 26-Mar-2007 at 02:58:20 +0200, Volker wrote:
>> Andrew, Andre & all,
>>
>> I've checked it out once more (with a corrected setup) and now have
>> been able to block traffic on enc0 in both directions (no matter if
>> the tunnel endpoint is final destination or not).
>
> Does that mean that a rule
>
> block in log quick on enc0
>
> on top of all rules actually blocks anything (assuming you don't
> have another state-keeping outgoing rule for enc0)?
Yes, that's what it does. I've restricted traffic on the enc
interface for ICMP only in and out (I've tested in a production
environment, so I needed not to disturb any other legitimate
traffic) but I've been able to block that traffic.
As I've written in a private message (this goes for the archives
here...) I've had trouble blocking traffic on enc0 with a version
pre 6.2-RELEASE. Now (with 6.2-RELEASE and up) enc(4) does seem to
work properly.
There should go just one simple note into man for the fact, that enc
will unconditionally pass all traffic if the interface is down.
Also, currently enc is not even in NOTES.
HTH,
Volker
More information about the freebsd-pf
mailing list