Packet filtering with pf and gif tunnels.
J65nko BSD
j65nko at gmail.com
Sat Jan 8 17:14:49 PST 2005
On Sun, 9 Jan 2005 00:23:55 +0000, Lewis Thompson <lewiz at fajita.org> wrote:
> Hi,
>
> I am wondering what sequence a packet goes through when it is passing
> through a gif tunnel. I have the following interface and gif tunnel
> (with the equivalent being on the same subnet at the other side):
>
> fxp0: a.a.a.a/24
> gif0: a.a.a.a -> a.a.a.b (192.168.0.1/32 -> 192.168.0.2/32)
>
> My question is really what order does the packet go pass through my
> firewall (pf) in? i.e., is it:
>
> in on fxp0 from a.a.a.b to a.a.a.a
> (unencapsulated)
> in on gif0 from 192.168.0.2 to 192.168.0.1
>
> or does it just magically ``appear'' on gif0 straight away? Now I write
> it out I am assuiming that it passes through pf twice (first on fxp0 and
> secondly on gif0); if this is in fact the case, what sensible rule might
> I add to allow this encapsulated traffic from a.a.a.b?
>
> Currently I have pf configured as follows:
>
> pass all
>
> pass quick proto icmp
>
> block in on fxp0
> pass out on fxp0 keep state
> pass in on fxp0 proto tcp from any to fxp0 port 22 keep state
>
> The reason I ask this question is that for my tunnel endpoints to ping
> each other, a.a.a.a must be doing so (a.a.a.b has no firewall).
>
> Thank you,
>
> -Lewis Thompson.
For some debugging strategies in a similar case with IPSEC see
http://www.bsdforums.org/forums/showthread.php?s=&threadid=18601
More information about the freebsd-questions
mailing list