On 2008/04/08 14:47, Ian Chard wrote: >> >> Hmm, it looks like IP-in-IP packets are blocked by default. See >> sysctl(3) about net.inet.ipip.allow.
That's only to the local host; PF normally forwards them unless you do
a default block (then you need to list the wanted protocols explicitly
e.g. "pass on iface proto {tcp,udp,icmp,gre,igmp,whatever}")
