I'm trying to figure out how the enc interface works, and especially how
to filter it using pf. This is what enc(4) says:
The enc interface allows an administrator to see outgoing packets before
they have been processed by ipsec(4), or incoming packets after they have
been similarly processed, via tcpdump(8).
The ``enc0'' interface inherits all IPsec traffic. Thus all IPsec traf-
fic can be filtered based on ``enc0'', and all IPsec traffic could be
seen by invoking tcpdump(8) on the ``enc0'' interface.
I think this tells me that I can see unencrypted/unencapsulated traffic on
enc0.
However, with tcpdump I see this:
14:09:27.894326 (authentic,confidential): SPI 0x728aafc9: 86.90.xx.xx >
62.58.xx.xx: 192.168.2.3.1264 > 192.168.1.7.8194: . [tcp sum ok] ack 139
win 64431 (DF) (ttl 128, id 45685, len 40) (ttl 118, id 45685, len 60)
14:09:27.915205 (authentic,confidential): SPI 0x021e1fcd: 62.58.xx.xx >
86.90.xx.xx: 192.168.1.131.3389 > 192.168.2.3.1182: . [tcp sum ok] ack
177 win 65075 (ttl 127, id 59080, len 40) (ttl 64, id 46361, len 60, bad
cksum 0!)
The encapsulation is included... that's pretty cool and handy, but I'm not
sure if that's what the manpage says.
And it looks like pf has its tentacles elsewhere in the stack, here's what
I see if I log what gets passed on enc0:
09:00:21.390463 rule 514/(match) [uid 0, pid 15450] pass in on enc0:
84.104.xx.xx > 62.58.xx.xx: 192.168.28.28.46259 > 192.168.42.10.993:
[|tcp] (DF) (ttl 63, id 9133, len 64) (ttl 55, id 6610, len 84, bad cksum
a754!)
09:00:21.390541 rule 514/(match) [uid 0, pid 15450] pass in on enc0:
192.168.28.28.46259 > 192.168.42.10.993: S 1525235396:1525235396(0) win
16384 <mss 1360,nop,nop,sackOK,nop,wscale 0,[|tcp]>
(ttl 63, id 9133, len 64, bad cksum 5094!)
14:15:32.553135 rule 515/(match) [uid 0, pid 23431] pass out on enc0:
192.168.42.10.24605 > 192.168.28.28.22: [|tcp] [tos 0x10] (ttl 63, id
33734, len 64)
So inbound traffic passes twice: first with encapsulation, and the second
time without. However, outbound traffic only passes _once_, without the
encapsulation.
So I think the pf rules for filtering on enc0 should look like this:
# pass encapsulated traffic
pass in quick log on enc0 proto ipencap from $ext_peer_ip to $ext_if
keep state (other.single 3600)
# rules on decrypted traffic
pass in quick on enc0 from 192.168.28.28 to 192.168.42.10 port 993 keep
state
block in quick on enc0
All in all:
- the bpf view is different from the pf view
- the inbound pf view is different from outbound
Should pf even see the inbound ipencap traffic? Nothing much that can be
done with it, that cannot also be done on the physical interfaces...
Shouldn't enc just carry the unencrypted/unencapsulated traffic like the
manpage says? That would make it behave far more like a "normal"
interface.
--
Cam
