From owner-freebsd-ipfw Tue Sep 26 5:45:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from netvalue-gw.netvalue.fr (netvalue-gw.netvalue.fr [195.115.44.161]) by hub.freebsd.org (Postfix) with ESMTP id 1E16D37B42C for ; Tue, 26 Sep 2000 05:45:37 -0700 (PDT) Received: (from bin@localhost) by netvalue-gw.netvalue.fr (8.9.3/8.8.8) id OAA46083 for ; Tue, 26 Sep 2000 14:45:34 +0200 (CEST) (envelope-from erwan@netvalue.com) X-Authentication-Warning: netvalue-gw.netvalue.fr: bin set sender to using -f Received: from (dauphine.netvalue.fr [192.168.1.13]) by netvalue-gw.netvalue.fr via smap (V2.1) id xma046080; Tue, 26 Sep 00 14:45:33 +0200 Received: from mail-hk.netvalue.fr ([192.168.100.13]) by mail.netvalue.fr (Netscape Messaging Server 3.6) with ESMTP id AAA96D for ; Tue, 26 Sep 2000 14:45:33 +0200 Received: from netvalue.com ([192.168.100.100]) by mail-hk.netvalue.fr (Netscape Messaging Server 4.15) with ESMTP id G1HVF500.25U; Tue, 26 Sep 2000 20:45:05 +0800 Message-ID: <39D09A6A.C890BD35@netvalue.com> Date: Tue, 26 Sep 2000 20:45:30 +0800 From: Erwan Arzur Organization: NetValue Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: Ari Suutari Cc: "Eric J. Schwertfeger" , freebsd-ipfw@FreeBSD.ORG Subject: Re: IPSEC tunnel mode & ipfw References: <003f01bffaac$5cfd3440$0e05a8c0@intranet.syncrontech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ari Suutari wrote: > > Hi, > > > On Fri, 28 Jul 2000, Ari Suutari wrote: > > > > > However, I'm a little bit worried, since this last rule > > > would also allow packets through if someone pretends > > > to be 192.168.1.xxx since there is no way to tell ipfw > > > that the rule is valid only if the packet being examined > > > has arrived through IPsec tunnel. > > > > > > I solved this temporarily by using pipsecd - now I can > > > trust that packets coming from interface tun0 have > > > gone through IPsec checks. However, I would like > > > to use the functionality available in kernel. > > > > I've tackled that problem as well, and came up with two possible > > solutions. > > A second box on each end (with 2 ethernet cards) would do the trick. You'd only have to let ip proto 50 go through your firewall. A bit more expensive, but much safer, i think ... -- Erwan Arzur NetValue ltd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message