Andrew,
On 03/24/07 19:59, Andrew Thompson wrote:
>> What's really strange is packets coming through an IPSec tunnel can
>> be seen by pf on device enc but packets are still passing through
>> even if device enc0 is down.
>
> The code does check if the interface is running but if its not then just
> passes the packet through unhindered. Do you think it should behave like
> you describe where the packets are dropped?
IMHO this is ok but it should be documented at least on enc(4). A
short note like "if the device is down packets are still passing the
firewall unfiltered" or the like would help.
Also the following (from enc(4)):
"The enc interface allows an administrator to see outgoing packets..."
lead me to the assumption enc is only of use for "seeing" traffic
but not of any use for filtering.
>
> See line 204, change the check to this
> if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) {
> m_freem(*mp);
> return (-1);
> }
>
>> So from my experience device enc currently is a bit strange in
>> behavior (at least on -STABLE). Also AFAIR I haven't been able to
>> block packets on device enc0 using pf. I suspect device enc is
>> currently a bit of a hack and currently probably only useful for
>> packet / connection logging but not for real firewalling. You might
>> check out if you're able to block anything on enc0 (my memories
>> might be wrong) and play with it a bit.
>
> This should work as you say and if its not then thats a bug. Can you log
> the packets with pflog to check they are being blocked.
Will try to do so but first I have to solve another issue with
filesystem first. I'll setup some experimental rules and see if I'm
able to block traffic on enc0. Please stay tuned.
Greetings,
Volker
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
