Packet filtering with pf and gif tunnels.
lewiz at fajita.org
Sat Jan 8 16:24:09 PST 2005
I am wondering what sequence a packet goes through when it is passing
through a gif tunnel. I have the following interface and gif tunnel
(with the equivalent being on the same subnet at the other side):
gif0: a.a.a.a -> a.a.a.b (192.168.0.1/32 -> 192.168.0.2/32)
My question is really what order does the packet go pass through my
firewall (pf) in? i.e., is it:
in on fxp0 from a.a.a.b to a.a.a.a
in on gif0 from 192.168.0.2 to 192.168.0.1
or does it just magically ``appear'' on gif0 straight away? Now I write
it out I am assuiming that it passes through pf twice (first on fxp0 and
secondly on gif0); if this is in fact the case, what sensible rule might
I add to allow this encapsulated traffic from a.a.a.b?
Currently I have pf configured as follows:
pass quick proto icmp
block in on fxp0
pass out on fxp0 keep state
pass in on fxp0 proto tcp from any to fxp0 port 22 keep state
The reason I ask this question is that for my tunnel endpoints to ping
each other, a.a.a.a must be doing so (a.a.a.b has no firewall).
I was so much older then, I'm younger than that now. --Bob Dylan, 1964.
-| msn:lewiz at fajita.org | jabber:lewiz at jabber.org | url:www.lewiz.org |-
More information about the freebsd-questions