[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf + enc

On Wed, Jul 17, 2002 at 11:21:27AM -0500, glaive@vaned.net wrote:

> although this does not work.  (despite including filters in the isakmp
> policy file, and the flows being configured a certain way i'm assuming
> no enforcement is done on encapsulated addresses going through the vpn?)

Yes, for some reason (I haven't investigated it fully yet), some packets
will go through the enc interface still encapsulated (probably they are
encapsulated in multiple layers). The important point is that they will
pass through enc for each layer, so it's enough to block unwanted
packets on any of those passes. So, just allow the outer layer (which is
probably just from/to the tunnel endpoints) with two additional rules
(allowing the encapsulation protocol), and the filter policy on the
innermost protocol will still be enforced.

If someone has a more detailed analysis of this case, please let me
know, so the pf example rules in the vpn man page can be adjusted.