On Monday 20 January 2003 11:34 pm, Crist J. Clark wrote: > > I don't see this. I have one rule on my external interface, > > block in log quick on de0 all head 2000 > ... > pass in quick proto esp from any to 12.234.89.252/32 > group 2000
First, let me point out that I'm running -current (as of 2 days ago). I don't know if that is revelent to this discussion or not. The behavior you state is the behavior I was expecting and hoping for, but not what I experienced. When I study my ipmon and ipfstat output, I see the "pass esp" rule matching packets, but then I also see the decoded packets being dropped. I observed the same behavior when I was using ipfw instead of ipfilter. I am a bit surprised that the packet count is not the same for the ESP packets and the un-encapsulated packets. 41 @5 block in log quick on rl0 from 192.168.0.0/16 to any 27 @15 pass in quick on rl0 proto esp from 64.139.19.166/32 to 66.87.52.132/32 > Obviously, I need a rule on the internal interface to let the > unecrypted traffic pass this interface. But since all of the > interesting filtering of traffic from the outside world happens on the > external interface, I my case the packets are being dropped on the outside interface, as shown above. mike To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
