PF and fitering statefull on GIF interface
Norman Maurer
norman at apache.org
Sat Jan 5 13:26:03 PST 2008
Hi all,
im using FreeBSD 6.2-p9 on my server which acts as IPSec router using ipsec-tools. This works fine...
But now i need to filter traffic which comes from the local private network to the vpn private network. I tried todo this with pf and using keep state. The return packets just get dropped.
So I reread the gif manpage and read about the IPSEC_FILTERGIF option. I rebuilded the kernel with the option and tried it again. No luck!
So I suspect this option is only valid for ipfw and ipf ?
Any idea how i can use pf + ipsec ( over gif interface ) to filter the needed stuff.
This for example not work:
LOCAL_NET = 10.0.0.0/24
VPN_REMOTE_NET = 192.168.10.0/28
pass proto tcp from $LOCAL_NET to $VPN_REMOTE_NET port 22 flags S/SA keep state
This works:
LOCAL_NET = 10.0.0.0/24
VPN_REMOTE_NET = 192.168.10.0/28
pass proto tcp from $LOCAL_NET to $VPN_REMOTE_NET port 22
pass proto tcp from $VPN_REMOTE_NET port 22 to $LOCAL_NET
Thx for the help
bye
Norman
More information about the freebsd-questions
mailing list