[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Is filtering enc0 possible/necessary?



I established a VPN between 2 OpenBSD 3.4 hosts, which works without problems when no filtering on enc0 is done (pass in on enc0 from any to any keep state).

I tried to change the rule to:
pass in on enc0 from $net_home to $net_office keep state

The rule is loaded correctly, here is an excerpt from pfctl -sr:
pass in on enc0 inet from 10.2.0.0/24 to 10.1.1.0/24 keep state

This looks perfectly ok so far. But when I try to ping a host in the remote network, the packet gets blocked with the following message:
Dec 19 20:17:09.122118 rule 0/0(match): block in on enc0: 10.2.0.2 > 10.1.1.204: icmp: echo request (encap)


I searched this forum, and found 2 people with a similar problem (but not a solution). In both cases Daniel suggested that the blocked package is not tcp, as it gets processed by the enc0 interface first as encrypted "encap" package, and afterwards as tcp (or whatever) packet. It definitly looks like this; I changed the rule to "pass in log on enc0 from any to any", and get the following output:

Dec 19 20:18:33.904748 rule 63/0(match): pass in on enc0: 10.2.0.2 > 10.1.1.204: icmp: echo request (encap)
Dec 19 20:18:33.904774 rule 63/0(match): pass in on enc0: 10.2.0.2 > 10.1.1.204: icmp: echo request


But anyway, those packets should get covered by "pass in on enc0 inet from 10.2.0.0/24 to 10.1.1.0/24 keep state", or am I wrong?

I am aware that I can simply allow all packets on enc0, and perform the filtering on the internal interface of the remote firewall - is this the best possible solution?

Thanks in advance
-Urban