GRE and PF problem

Alex Povolotsky tarkhil at
Thu Jul 14 06:43:11 GMT 2005

compunction wrote:

>GRE needs to pass bidirectional.  You will need a binat to make it
>work.  I have not found a firewall that will allow GRE to work with a
>many to one nat.

The most painful thing is that pf's nat works for GRE - SOMETIMES :-(

The only thing firewall needs to implement for natting GRE is creation 
of two rules (forward and back) for GRE packet, just like it does for ICMP.

I'm not a firewall writer, but as far as I understand general procedural 
programming, it cannot be THAT complicated.


