6.2-STABLE: enc0 sees only outgoing packets in pf

[Volker]

Andrew,

On 03/24/07 19:59, Andrew Thompson wrote:
>> What's really strange is packets coming through an IPSec tunnel can
>> be seen by pf on device enc but packets are still passing through
>> even if device enc0 is down.
>  
> The code does check if the interface is running but if its not then just
> passes the packet through unhindered. Do you think it should behave like
> you describe where the packets are dropped?

IMHO this is ok but it should be documented at least on enc(4). A
short note like "if the device is down packets are still passing the
firewall unfiltered" or the like would help.

Also the following (from enc(4)):
"The enc interface allows an administrator to see outgoing packets..."

lead me to the assumption enc is only of use for "seeing" traffic
but not of any use for filtering.

> 
> See line 204, change the check to this
>   if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) {
>      m_freem(*mp);
>      return (-1);
>   }
> 
>> So from my experience device enc currently is a bit strange in
>> behavior (at least on -STABLE). Also AFAIR I haven't been able to
>> block packets on device enc0 using pf. I suspect device enc is
>> currently a bit of a hack and currently probably only useful for
>> packet / connection logging but not for real firewalling. You might
>> check out if you're able to block anything on enc0 (my memories
>> might be wrong) and play with it a bit.
>  
> This should work as you say and if its not then thats a bug. Can you log
> the packets with pflog to check they are being blocked.

Will try to do so but first I have to solve another issue with
filesystem first. I'll setup some experimental rules and see if I'm
able to block traffic on enc0. Please stay tuned.

Greetings,

Volker