Post by Vadim Zaliv » Wed, 05 Feb 2003 10:47:13


I have IPSEC tunnel working on my OpenBSD 3.2. However interface 'enc0' is
down and does not have address assigned to it. Is it normal?  ipsec(4) man
page mentions that I could assign NAT rules to it.



1. Pf and limits on inbound from enc0

I'm using OBSD 3.0 with pf, nat and isakmpd

All works fine, but I'm tightening up my rules.

My default rules block in and out on all interfaces (internal, external and
dmz) I then proceed to open things up.

My problem comes from my vpn connections using enc0

I allow in from any to internal network on enc0:

Pass in quick on enc0 from any to $int_net keep state

 but I also need to allow those connections to pass out on my internal
interface.  I currently just allow from any - hoping that my external
interface rules are blocking all inbound - so any traffic would implicitly
be coming from enc0.

I hate leaving rules as implicit - since I have a number of sites, using
private ips, I'd rather not have to maintain a bunch of rules for each of
those sites' address ranges.  Is there any easier way to specify that things
going out the internal interface can only come from enc0?  Since enc0 is
virtual and has no ip, I can't do:

Pass out quick on $int_if from enc0 to $int_net keep state

So I currently have:

Pass out quick on $int_if from any to $int_net keep state


2. mail an attachment + body