Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Andrey V. Elsukov
On 21.03.2017 16:23, Bjoern A. Zeeb wrote: > On 21 Mar 2017, at 12:12, Miroslav Lachman wrote: > >> Bjoern A. Zeeb wrote on 2017/03/21 >>> I thought the entire idea of making ipsec loadable was that we don’t >>> have to ship it in the kernel and have it available? >> >> Then sorry for the noise.

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Marin Bernard
Hi, I just got it working. Here is what I have done: - Loaded the kernel module:     # kldload if_enc - Set the interface up:     # ifconfig enc0 up - Tweaked sysctl to enable tunnel filtering. Default value is 0 and makes IPsec-related traffic bypass the firewall:     # sysctl net.inet.ips

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Andrey V. Elsukov
On 21.03.2017 16:23, Bjoern A. Zeeb wrote: > On 21 Mar 2017, at 12:12, Miroslav Lachman wrote: > >> Bjoern A. Zeeb wrote on 2017/03/21 12:56: >>> On 21 Mar 2017, at 11:46, Kurt Jaeger wrote: >>> Hi! >> If you want to filter on it it should work if you add ???device >> enc??? to y

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Bjoern A. Zeeb
On 21 Mar 2017, at 12:12, Miroslav Lachman wrote: > Bjoern A. Zeeb wrote on 2017/03/21 12:56: >> On 21 Mar 2017, at 11:46, Kurt Jaeger wrote: >> >>> Hi! >>> > If you want to filter on it it should work if you add ???device > enc??? to your > kernel config. The man page suggests that sh

FreeBSD 10.3, pf, and rtp, definite firewall issue

2017-03-21 Thread David Mehler
Hello, I've included my firewall rules below. Can someone take a look at them and give me an assessment? They are working for the most part except with asterisk in a jail and rtp. I've got a single server a vps and one public IP. On the server (Freebsd 10.3 trying to decide whether to go 11 op

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Kristof Provost
On 21 Mar 2017, at 12:44, Miroslav Lachman wrote: Kristof Provost wrote on 2017/03/21 10:18: On 21 Mar 2017, at 9:43, Marin Bernard wrote: If there is no SA, it is impossible for a peer to ping another. As soon as IKE creates a SA, however, ping starts working. As you can see, the last rule

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Miroslav Lachman
Bjoern A. Zeeb wrote on 2017/03/21 12:56: On 21 Mar 2017, at 11:46, Kurt Jaeger wrote: Hi! If you want to filter on it it should work if you add ???device enc??? to your kernel config. The man page suggests that should then allow you to filter IPSec traffic on enc0. Shouldn't it be included

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Kurt Jaeger
Hi! > >> Shouldn't it be included in GENERIC if IPSec is now part of it? > > Yes, please include enc in the GENERIC kernel. > I thought the entire idea of making ipsec loadable was that we don???t > have to ship it in the kernel and have it available? You are right. kldload if_enc seems to wor

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Bjoern A. Zeeb
On 21 Mar 2017, at 11:46, Kurt Jaeger wrote: Hi! If you want to filter on it it should work if you add ???device enc??? to your kernel config. The man page suggests that should then allow you to filter IPSec traffic on enc0. Shouldn't it be included in GENERIC if IPSec is now part of it?

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Kurt Jaeger
Hi! > > If you want to filter on it it should work if you add ???device enc??? to > > your > > kernel config. The man page suggests that should then allow you to > > filter IPSec > > traffic on enc0. > > Shouldn't it be included in GENERIC if IPSec is now part of it? Yes, please include enc in

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Miroslav Lachman
Kristof Provost wrote on 2017/03/21 10:18: On 21 Mar 2017, at 9:43, Marin Bernard wrote: If there is no SA, it is impossible for a peer to ping another. As soon as IKE creates a SA, however, ping starts working. As you can see, the last rule is explicitely bound to the inexistent enc0 interfac

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Marin Bernard
Hi again Kristof, It appears you were right. ICMP flows through even with no rule set. I'm afraid I'll have to build a custom kernel. Thank you for your help, Marin. 21 mars 2017 10:18 "Kristof Provost" a écrit: > On 21 Mar 2017, at 9:43, Marin Bernard wrote: > > Thanks for answering. Yes,

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Kristof Provost
On 21 Mar 2017, at 9:43, Marin Bernard wrote: Thanks for answering. Yes, I know that pf accepts rules mentioning inexistent interfaces. What puzzles me here is that my ruleset is actually working. With peer0 = 1.2.3.4 and peer1 = 5.6.7.8, the following ruleset works as expected: - peers =

Re: Support for the enc(4) pseudo-interface

2017-03-21 Thread Marin Bernard
Hi, Thanks for answering. Yes, I know that pf accepts rules mentioning inexistent interfaces. What puzzles me here is that my ruleset is actually working. With peer0 = 1.2.3.4 and peer1 = 5.6.7.8, the following ruleset works as expected: - peers = "{1.2.3.4, 5.6.7.8}" set skip on lo block

ALTQ on epair not working

2017-03-21 Thread Özkan KIRIK
Hello, I'm using FreeBSD 10.3-p17 amd64. epair pseudo device is listed as supperted deviced at the Man page of altq(4). From man page of altq : *SUPPORTED DEVICES * The driver modifications described in altq(9)