Packet filtering with pf and gif tunnels.

J65nko BSD j65nko at
Sat Jan 8 17:14:49 PST 2005

On Sun, 9 Jan 2005 00:23:55 +0000, Lewis Thompson <lewiz at> wrote:
> Hi,
> I am wondering what sequence a packet goes through when it is passing
> through a gif tunnel.  I have the following interface and gif tunnel
> (with the equivalent being on the same subnet at the other side):
> fxp0: a.a.a.a/24
> gif0: a.a.a.a -> a.a.a.b ( ->
> My question is really what order does the packet go pass through my
> firewall (pf) in?  i.e., is it:
> in on fxp0 from a.a.a.b to a.a.a.a
> (unencapsulated)
> in on gif0 from to
> or does it just magically ``appear'' on gif0 straight away?  Now I write
> it out I am assuiming that it passes through pf twice (first on fxp0 and
> secondly on gif0); if this is in fact the case, what sensible rule might
> I add to allow this encapsulated traffic from a.a.a.b?
> Currently I have pf configured as follows:
> pass all
> pass quick proto icmp
> block in on fxp0
> pass out on fxp0 keep state
> pass in on fxp0 proto tcp from any to fxp0 port 22 keep state
> The reason I ask this question is that for my tunnel endpoints to ping
> each other, a.a.a.a must be doing so (a.a.a.b has no firewall).
>   Thank you,
> -Lewis Thompson.

For some debugging strategies in a similar case with IPSEC see

More information about the freebsd-questions mailing list