On Sun, Sep 14, 2003 at 10:30:43PM -0300, Alejandro G. Belluscio wrote: > Hello pf, > > I always get my ideas just on the crunch pre Release ;-). The > question is if it is planned to be able to tag packets on the isakmpd > SA. Since all the packets get mixed into enc0, it's very difficult > to filter an attack from a brain dead client's lan. If we could tag at > least the origin the it could be easier to know whose the culprit. Off > course I'm asuming that they would send forged IPs or something like > that. > Of course may be it's the wrong list to ask for it. If so, where > should I ask?
you could do this: pass in on $extern proto 50 from PEER1 to any tag VPNPEER1 keep state pass in on $extern proto 50 from PEER2 to any tag VPNPEER2 keep state and filter on enc0 using these tags. additionally, if the 'bad' client sends attack packets, these patches should be catched by the incoming flow's, i.e. they won't match the flows in netstat -nrfencap
