6.2-STABLE: enc0 sees only outgoing packets in pf

Volker volker at vwsoft.com
Mon Mar 26 00:58:39 UTC 2007


Andrew, Andre & all,

I've checked it out once more (with a corrected setup) and now have
been able to block traffic on enc0 in both directions (no matter if
the tunnel endpoint is final destination or not).

Sorry for my first false posting.

In this test case both machines (tunnel endpoints) are:

FreeBSD ... 6.2-RELEASE-p1 FreeBSD 6.2-RELEASE-p1 #0: Sun Feb 11
22:35:18 CET 2007     root at ...:/usr/obj/usr/src/sys/GwMbg  i386

One machine is using racoon (ipsec-tools), the other is using racoon2.

`ifconfig enc0':
enc0: flags=41<UP,RUNNING> mtu 1536

relevant kernconf parts:
options         FAST_IPSEC
device          random
device          enc
device          crypto

Andre:

If you still have trouble getting IPSec + enc0 + pf to work, please
post me a private message. I know it's hard to find someone who has
a working IPSec setup and is willing to help.

At least my test setup shows it is not just possible to block
traffic on device enc0 using pf, but to see all traffic in the pf
logs (if being configured to do so).

Probably you're willing to show us your pf rules to have a look at it?

Have pfun! ;)

Volker


More information about the freebsd-pf mailing list