I know ipf (the predecessor to pf) had a "keep state" option so that traffic originating from the machine could get back in. Maybe try taking a look at that option and see if it helps. > Just tried it: Doesn't work :-( > In fact, that line you refered to was added after the fact. > After I realized the enc0 line wouldn't work. I commented > the whole line out and it still chokes. I set up a ping > on my notebook with your suggestion, and here is what > the logs say (trimmed down). > > rule 2/0(match): block in on enc0: 192.168.3.2 > 192.168.2.202: icmp: echo reply (encap) > > The traffic gets out, but not back in. That is the part I do not > understand. > > On Mon, Mar 18, 2002 at 10:51:13AM -0700, J.Francois wrote: > > You have a rule that blocks all incoming RFC1918 addresses. > Remove the "quick" on: > > > block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \ > > 192.168.0.0/16, 255.255.255.255/32} to any > > and lets see what happens. > Getting rid of "quick" will let you fall thru the rest of your rules. > IIRC the physical interface gets handled before the tunneled interface. > > > On Mon, Mar 18, 2002 at 12:15:11PM -0500, Mike wrote: > > In setting up IPSec on some OpenBSD boxes, I have > > noticed that I can not use a statement to pass traffic > > on the enc0 in ONLY from a certain network. See my pf > > rules below: > > -------------------------------------------------------- > > SCOTT_OFFICE = "XXX.XXX.XXX.XXX" > > > > scrub in on xl0 all > > scrub in on enc0 all > > > > block in log from any to any > > block out log from any to any > > > > block in quick on xl0 from any to 255.255.255.255 > > block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \ > > 192.168.0.0/16, 255.255.255.255/32} to any > > > > pass in on enc0 from any to any > > pass out quick on enc0 from 192.168.3.0/24 to 192.168.2.0/24 > > #pass in quick on enc0 from 192.168.2.0/24 to 192.168.3.0/24 > > > > pass in quick on fxp0 from 192.168.3.0/24 to any keep state > > pass out quick on fxp0 from 192.168.2.235 to 192.168.3.13 > > pass out quick on fxp0 from 192.168.2.202 to 192.168.3.2 > > > > pass in quick on xl0 proto udp from $SCOTT_OFFICE to xl0 port = 500 > > pass out quick on xl0 proto udp from xl0 to $SCOTT_OFFICE port = 500 > > > > pass in on xl0 proto esp from $SCOTT_OFFICE to xl0 > > pass out on xl0 proto esp from xl0 to $SCOTT_OFFICE > > ---------------------------------------------------------------- > > Notice the commented line for the enc0 interface. I have tried > > changing the line, but it will not work. These rules function > > similar on both sides (work & home). It only chokes on the "in" > > rules, not the "out". > > > > Can anyone explain this behavior to me? > -- > Jean Francois - JLF Sends... /"\ > "Tell them we are not Gods, but SysAdmins, which is the next best thing." \ / ASCII Ribbon Campaign > Getting Facts - $35: http://www.winface.com/blurb.html X Against HTML Mail > Getting Certs - $40: http://www.brainbench.com/transcript.jsp?pid=1214021 / \ > Getting Published - Priceless: http://www.informit.com/authors/index.asp?authorid={6AD44647-E752-4CAB-B911-D3246F294DBA} > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss