[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf does not pass esp?

To: misc@openbsd.org
Subject: Re: pf does not pass esp?
From: "Arvid Grøtting" <arvidg@netfonds.no>
Date: Thu, 21 Mar 2002 10:15:02 +0100
Cancel-Lock: sha1:Q5vfirSJz2QWfcbtSBVUh4js/s4=
Mail-Copies-To: never
Newsgroups: gmane.openbsd.misc
Organization: No such thing.
References: <20020320232134.156bc882.doktorn@realworld.nu> <20020320144237.D14752@syn.codemonkey.net> <20020321005003.4aa8ff40.doktorn@realworld.nu>
User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/21.1 (i686-pc-linux-gnu)

Rickard Borgmäster <doktorn@realworld.nu> writes:

> Does this mean, that I cannot use ESP on a machine located behind the
> OpenBSD PF firewall?

No; you can, but the machine must have an official IP address.  (More
precisely, it must have the same address on both sides of the PF
firewall.)

Also, IIRC you can't use "keep state" in your (3.0-stable) PF rules
for ESP.

I have ESP passing through not one but two OpenBSD 3.0 PF firewalls
with no problem.  Rules example:

pass in on $ext_if proto ah from $foo_gw_foo to $foo_gw_here
pass in on $ext_if proto esp from $foo_gw_foo to $foo_gw_here
pass in proto ah from $foo_gw_here to $foo_gw_foo
pass in proto esp from $foo_gw_here to $foo_gw_foo

-- 

Arvid

Follow-Ups:
- Re: pf does not pass esp?
  - From: Rickard Borgmäster <doktorn@realworld.nu>

References:
- pf does not pass esp?
  - From: Rickard Borgmäster <doktorn@realworld.nu>
- Re: pf does not pass esp?
  - From: Jason Ish <jason@codemonkey.net>
- Re: pf does not pass esp?
  - From: Rickard Borgmäster <doktorn@realworld.nu>

Prev by Date: Re: (U) More problems with pf
Next by Date: Re: isakmpd and reboots
Prev by thread: Re: pf does not pass esp?
Next by thread: Re: pf does not pass esp?
Index(es):
- Date
- Thread