pf rules on enc0 interface (OpenBSD)

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Mike
Date:  
Subject: pf rules on enc0 interface (OpenBSD)
In setting up IPSec on some OpenBSD boxes, I have
noticed that I can not use a statement to pass traffic
on the enc0 in ONLY from a certain network. See my pf
rules below:
--------------------------------------------------------
SCOTT_OFFICE = "XXX.XXX.XXX.XXX"

scrub in on xl0 all
scrub in on enc0 all

block in log from any to any
block out log from any to any

block in quick on xl0 from any to 255.255.255.255
block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \
                192.168.0.0/16, 255.255.255.255/32} to any


pass in on enc0 from any to any
pass out quick on enc0 from 192.168.3.0/24 to 192.168.2.0/24
#pass in quick on enc0 from 192.168.2.0/24 to 192.168.3.0/24

pass in quick on fxp0 from 192.168.3.0/24 to any keep state
pass out quick on fxp0 from 192.168.2.235 to 192.168.3.13
pass out quick on fxp0 from 192.168.2.202 to 192.168.3.2

pass in quick on xl0 proto udp from $SCOTT_OFFICE to xl0 port = 500
pass out quick on xl0 proto udp from xl0 to $SCOTT_OFFICE port = 500

pass in on xl0 proto esp from $SCOTT_OFFICE to xl0
pass out on xl0 proto esp from xl0 to $SCOTT_OFFICE
----------------------------------------------------------------
Notice the commented line for the enc0 interface. I have tried
changing the line, but it will not work. These rules function
similar on both sides (work & home). It only chokes on the "in"
rules, not the "out".

Can anyone explain this behavior to me?