From owner-freebsd-security Sun Mar 2 23:42:33 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29B6737B401 for ; Sun, 2 Mar 2003 23:42:28 -0800 (PST) Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2030243FBD for ; Sun, 2 Mar 2003 23:42:26 -0800 (PST) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 18pkbN-00094i-00 for freebsd-security@freebsd.org; Mon, 03 Mar 2003 09:43:09 +0200 Received: from devco.net ([196.15.188.2] helo=Beastie) by mx1.dev.itouchnet.net with esmtp (Exim 3.35 #1) id 18pkbM-00094Q-00; Mon, 03 Mar 2003 09:43:08 +0200 Message-ID: <005501c2e157$ec8e7a80$4508a8c0@Beastie> From: "Barry Irwin" To: "Alwyn Goodloe" , References: Subject: Re: IPSEC port filtering Date: Mon, 3 Mar 2003 09:38:46 +0200 Organization: iTouch Labs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 34882-1046677389-47172@unconfigured version $Name: REL_2_0_4 $ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Somewhat related, I noticed this when trying to crypt only certain TCP poirts, and also when trying to exclude certain ports from being encrypted. Had the problem on 4.3, 4.4 and 4.5 Unfortunatley havent had an opportunity to follow this up in detail on a later release. When I looked round at the time, I could not find any specific reference to the problem. Baryr -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Alwyn Goodloe" To: Sent: Saturday, March 01, 2003 11:32 PM Subject: IPSEC port filtering > In performing the setup for an experiment I have the following command: > > setkey -c < > spdadd 192.168.4.2/32[any] 192.168.3.2/32[3322] udp -P out ipsec > esp/tunnel/192.168.5.1-192.168.7.2/require > esp/tunnel/192.168.5.1-192.168.5.2/require > > > Unfortunately, it doesn't seem to be filtering out UDP the packets heading > to that port. They just pass over the wire in the clear. Using tcpdump > I can watch them heading for 192.168.3.2.3322 > If I remove the port ([3322]) the packets are put in the tunnel. Is there > something wrong with the port filtering here. > > Alwyn Goodloe > agoodloe@gradient.cis.upenn.edu > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message