On 21.03.2017 16:23, Bjoern A. Zeeb wrote:
> On 21 Mar 2017, at 12:12, Miroslav Lachman wrote:
>
>> Bjoern A. Zeeb wrote on 2017/03/21
>>> I thought the entire idea of making ipsec loadable was that we don’t
>>> have to ship it in the kernel and have it available?
>>
>> Then sorry for the noise.
Hi,
I just got it working. Here is what I have done:
- Loaded the kernel module:
# kldload if_enc
- Set the interface up:
# ifconfig enc0 up
- Tweaked sysctl to enable tunnel filtering. Default value is 0 and
makes IPsec-related traffic bypass the firewall:
# sysctl net.inet.ips
On 21.03.2017 16:23, Bjoern A. Zeeb wrote:
> On 21 Mar 2017, at 12:12, Miroslav Lachman wrote:
>
>> Bjoern A. Zeeb wrote on 2017/03/21 12:56:
>>> On 21 Mar 2017, at 11:46, Kurt Jaeger wrote:
>>>
Hi!
>> If you want to filter on it it should work if you add ???device
>> enc??? to y
On 21 Mar 2017, at 12:12, Miroslav Lachman wrote:
> Bjoern A. Zeeb wrote on 2017/03/21 12:56:
>> On 21 Mar 2017, at 11:46, Kurt Jaeger wrote:
>>
>>> Hi!
>>>
> If you want to filter on it it should work if you add ???device
> enc??? to your
> kernel config. The man page suggests that sh
On 21 Mar 2017, at 12:44, Miroslav Lachman wrote:
Kristof Provost wrote on 2017/03/21 10:18:
On 21 Mar 2017, at 9:43, Marin Bernard wrote:
If there is no SA, it is impossible for a peer to ping another. As
soon
as IKE creates a SA, however, ping starts working. As you can see,
the last rule
Bjoern A. Zeeb wrote on 2017/03/21 12:56:
On 21 Mar 2017, at 11:46, Kurt Jaeger wrote:
Hi!
If you want to filter on it it should work if you add ???device
enc??? to your
kernel config. The man page suggests that should then allow you to
filter IPSec
traffic on enc0.
Shouldn't it be included
Hi!
> >> Shouldn't it be included in GENERIC if IPSec is now part of it?
> > Yes, please include enc in the GENERIC kernel.
> I thought the entire idea of making ipsec loadable was that we don???t
> have to ship it in the kernel and have it available?
You are right. kldload if_enc seems to wor
On 21 Mar 2017, at 11:46, Kurt Jaeger wrote:
Hi!
If you want to filter on it it should work if you add ???device
enc??? to your
kernel config. The man page suggests that should then allow you to
filter IPSec
traffic on enc0.
Shouldn't it be included in GENERIC if IPSec is now part of it?
Hi!
> > If you want to filter on it it should work if you add ???device enc??? to
> > your
> > kernel config. The man page suggests that should then allow you to
> > filter IPSec
> > traffic on enc0.
>
> Shouldn't it be included in GENERIC if IPSec is now part of it?
Yes, please include enc in
Kristof Provost wrote on 2017/03/21 10:18:
On 21 Mar 2017, at 9:43, Marin Bernard wrote:
If there is no SA, it is impossible for a peer to ping another. As soon
as IKE creates a SA, however, ping starts working. As you can see,
the last rule is explicitely bound to the inexistent enc0 interfac
Hi again Kristof,
It appears you were right. ICMP flows through even with no rule set. I'm afraid
I'll have to build a custom kernel.
Thank you for your help,
Marin.
21 mars 2017 10:18 "Kristof Provost" a écrit:
> On 21 Mar 2017, at 9:43, Marin Bernard wrote:
> > Thanks for answering. Yes,
On 21 Mar 2017, at 9:43, Marin Bernard wrote:
Thanks for answering. Yes, I know that pf accepts rules mentioning
inexistent
interfaces. What puzzles me here is that my ruleset is actually
working.
With peer0 = 1.2.3.4 and peer1 = 5.6.7.8, the following ruleset works
as
expected:
-
peers =
Hi,
Thanks for answering. Yes, I know that pf accepts rules mentioning inexistent
interfaces. What puzzles me here is that my ruleset is actually working.
With peer0 = 1.2.3.4 and peer1 = 5.6.7.8, the following ruleset works as
expected:
-
peers = "{1.2.3.4, 5.6.7.8}"
set skip on lo
block
On 20 Mar 2017, at 23:08, Marin Bernard wrote:
Yet, it appears that pf is able to handle references to enc(4) in its
ruleset
even if the kernel does not support it. Is it expected behaviour? Is
it
safe to use such a configuration on a production machine ?
pf accepts rules for interfaces that d
Sorry for the noise: the webmail ate my message. Here is the full version:
Hi all,
I set up IPsec between several FreeBSD 11-RELEASE hosts. IKEv2 is managed by
security/openiked.
I use pf to filter the traffic, and the rulesets include several references
to the enc0 pseudo-interface, which all
Hi all,
I've just set up IPsec between two FreeBSD 11-RELEASE hosts with
security/openiked.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd
16 matches
Mail list logo
