Packet filtering with pf and gif tunnels.

Lewis Thompson lewiz at fajita.org
Sat Jan 8 16:24:09 PST 2005


Hi,

I am wondering what sequence a packet goes through when it is passing
through a gif tunnel.  I have the following interface and gif tunnel
(with the equivalent being on the same subnet at the other side):

fxp0: a.a.a.a/24
gif0: a.a.a.a -> a.a.a.b (192.168.0.1/32 -> 192.168.0.2/32)

My question is really what order does the packet go pass through my
firewall (pf) in?  i.e., is it:

in on fxp0 from a.a.a.b to a.a.a.a
(unencapsulated)
in on gif0 from 192.168.0.2 to 192.168.0.1

or does it just magically ``appear'' on gif0 straight away?  Now I write
it out I am assuiming that it passes through pf twice (first on fxp0 and
secondly on gif0); if this is in fact the case, what sensible rule might
I add to allow this encapsulated traffic from a.a.a.b?

Currently I have pf configured as follows:

pass all

pass quick proto icmp

block in on fxp0
pass out on fxp0 keep state
pass in on fxp0 proto tcp from any to fxp0 port 22 keep state

The reason I ask this question is that for my tunnel endpoints to ping
each other, a.a.a.a must be doing so (a.a.a.b has no firewall).

  Thank you,

-Lewis Thompson.

-- 
I was so much older then, I'm younger than that now.  --Bob Dylan, 1964.
-| msn:lewiz at fajita.org | jabber:lewiz at jabber.org | url:www.lewiz.org |-


More information about the freebsd-questions mailing list