From owner-freebsd-current@FreeBSD.ORG Sun Jul 3 00:45:47 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F5AA16A59B; Sun, 3 Jul 2005 00:45:47 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FFAA448D5; Sun, 3 Jul 2005 00:28:54 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id 19942650E4; Sat, 2 Jul 2005 17:28:53 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id 88E375D205 for ; Sun, 31 Oct 2004 23:36:52 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id F41CF55A0B; Mon, 1 Nov 2004 07:36:39 +0000 (GMT) (envelope-from owner-freebsd-net@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id A181E16A4D5; Mon, 1 Nov 2004 07:36:39 +0000 (GMT) Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C40D16A4CF; Mon, 1 Nov 2004 07:36:34 +0000 (GMT) Received: from poison2.syncrontech.com (adsl-nat.syncrontech.com [213.28.98.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 383A143D45; Mon, 1 Nov 2004 07:36:27 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])iA17aFFw029818; Mon, 1 Nov 2004 09:36:22 +0200 (EET) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.syncrontech.com [62.71.8.37]) iA17a3Ou017083; Mon, 1 Nov 2004 09:36:14 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> From: "Ari Suutari" To: "Vincent Poy" , "Andre Oppermann" , , References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-net@freebsd.org Errors-To: owner-freebsd-net@freebsd.org X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on elvis.mu.org X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.0 X-Spam-Level: Cc: Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-current@freebsd.org List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:45:47 -0000 X-Original-Date: Mon, 1 Nov 2004 09:35:58 +0200 X-List-Received-Date: Sun, 03 Jul 2005 00:45:47 -0000 Hi, >I am experiencing the same problem as well when I updated from a March > 6, 2004 -CURRENT to the October 19, 2004 -CURRENT. The problem still > exists with the October 27, 2004 -CURRENT. I'm using ipfw/dummynet > for outgoing queues with the ACK packets having the highest priority > in it's own queue. However, it seems like while the queues are there, > the information on ipfw queue show doesn't update at all as the Source > and Destination IP is still the same as the first packet after bootup > while the counters change but the ACK packets are not sent on it's own > queue but rather with all other packets. I know it is related with > pfil_hook when ipfw was converted. This is not related to pfil_hook conversion. The problem is also present in FreeBSD 4.x-STABLE (just tested it). I think that history of ipfw and ipsec interaction goes like this: - in the very beginning, a packet that was processed by ipsec didn't hit ipfw at all in unencrypted form, ie. one was able to able to filter esp and ah protocols only. - someone fixed this, apparently for incoming packets only, but this some folks were upset by the fact that they would have to add a rule for unencrypted protocols into ipfw. At that time (in ipfw1), there was possibility to check that unencrypted packet actually came from ipsec (ie. ipfw ipsec flag wasn't implemented) - IPSEC_FILTERGIF option was added. If set, incoming packets go through ipfw twice (encrypted and unencrypted). If not set, packets go to ipfw only once (encrypted). Currently outgoing packets are always processed like IPSEC_FILTERGIF was not set (I like to have it set, because I need quite fine-grained firewalling even inside my ipsec tunnels, which are between different companies). What I was suggesting (ie. moving pfil_hook processing in ip_output before ipsec stuff) wasn't really correct: This change should be conditional based on IPSEC_FILTERGIF setting: The change I described should be done only when IPSEC_FILTERGIF is set. Now, ip_output is quite central part in ip stack. I would be happy if someone who knows that part better than me could implement this (I can sure test it easily). Ari S. > > Cheers, > Vince > > On Sat, 30 Oct 2004 09:27:50 +0300, Ari Suutari > wrote: >> Hi, >> >> I noticed that processing order of ipsec and ipfw (pfil_hook) is not >> correct for outgoing packets. Currently, ipsec processing is done first, >> which makes packets to go through without firewall inspection. >> This might be a security problem for someone, but at least it >> breaks stateful rule handling. >> >> My test setup is (all freebsd 5.3-rc1 machines): >> >> freebsd laptop <-> ipsec tunnel <->freebsd server >> >> When server sends packet to laptop, it now goes like this: >> >> ip_output -> ipsec -> ip_output -> ipfw -> network >> >> It should go like this: >> >> ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network >> >> I think that this could be fixed by just moving pfil_hook >> processing in ip_output before ipsec processing. >> >> Ari S. >> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to >> "freebsd-current-unsubscribe@freebsd.org" >> >> > _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"