Date: Tue, 26 Sep 2000 20:45:30 +0800 From: Erwan Arzur <erwan@netvalue.com> To: Ari Suutari <ari@suutari.iki.fi> Cc: "Eric J. Schwertfeger" <ejs@bfd.com>, freebsd-ipfw@FreeBSD.ORG Subject: Re: IPSEC tunnel mode & ipfw Message-ID: <39D09A6A.C890BD35@netvalue.com> References: <Pine.BSF.4.21.0007280739190.2119-100000@harlie.bfd.com> <003f01bffaac$5cfd3440$0e05a8c0@intranet.syncrontech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ari Suutari wrote: > > Hi, > > > On Fri, 28 Jul 2000, Ari Suutari wrote: > > > > > However, I'm a little bit worried, since this last rule > > > would also allow packets through if someone pretends > > > to be 192.168.1.xxx since there is no way to tell ipfw > > > that the rule is valid only if the packet being examined > > > has arrived through IPsec tunnel. > > > > > > I solved this temporarily by using pipsecd - now I can > > > trust that packets coming from interface tun0 have > > > gone through IPsec checks. However, I would like > > > to use the functionality available in kernel. > > > > I've tackled that problem as well, and came up with two possible > > solutions. > > A second box on each end (with 2 ethernet cards) would do the trick. You'd only have to let ip proto 50 go through your firewall. A bit more expensive, but much safer, i think ... -- Erwan Arzur NetValue ltd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39D09A6A.C890BD35>