Packet filtering with pf and gif tunnels.
j65nko at gmail.com
Sat Jan 8 17:14:49 PST 2005
On Sun, 9 Jan 2005 00:23:55 +0000, Lewis Thompson <lewiz at fajita.org> wrote:
> I am wondering what sequence a packet goes through when it is passing
> through a gif tunnel. I have the following interface and gif tunnel
> (with the equivalent being on the same subnet at the other side):
> fxp0: a.a.a.a/24
> gif0: a.a.a.a -> a.a.a.b (192.168.0.1/32 -> 192.168.0.2/32)
> My question is really what order does the packet go pass through my
> firewall (pf) in? i.e., is it:
> in on fxp0 from a.a.a.b to a.a.a.a
> in on gif0 from 192.168.0.2 to 192.168.0.1
> or does it just magically ``appear'' on gif0 straight away? Now I write
> it out I am assuiming that it passes through pf twice (first on fxp0 and
> secondly on gif0); if this is in fact the case, what sensible rule might
> I add to allow this encapsulated traffic from a.a.a.b?
> Currently I have pf configured as follows:
> pass all
> pass quick proto icmp
> block in on fxp0
> pass out on fxp0 keep state
> pass in on fxp0 proto tcp from any to fxp0 port 22 keep state
> The reason I ask this question is that for my tunnel endpoints to ping
> each other, a.a.a.a must be doing so (a.a.a.b has no firewall).
> Thank you,
> -Lewis Thompson.
For some debugging strategies in a similar case with IPSEC see
More information about the freebsd-questions