[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keeping state on enc0 interface

On Wed, May 28, 2003 at 11:23:40AM -0400, Steven Mullins wrote:
> May 28 10:14:04.970490 rule 0/0(match): block in on enc0: >
> S 13316147:13316147(0) ack 2710659351 win 2144 <mss 536>
> (encap)
Note above.
> Any ideas why this packet from is not being passed?
It's not a plain TCP packet, but encapsulated. The tcpdump output is
only subtly different, but it's not a TCP packet for pf, but a different
protocol (probably 'proto ipencap', check with tcpdump -nX, protocol is
the 10th byte in the hex dump, name translation uses /etc/protocols).
Depending on the setup, you'll see the same packets twice passing
through enc0, once as plain TCP and once encapsulated. The general
recommendation is to pass the encapsulated protocol and do the filtering
on proto tcp/udp/icmp.