From owner-freebsd-stable Mon Nov 25 8:47:42 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6B5A37B401 for ; Mon, 25 Nov 2002 08:47:40 -0800 (PST) Received: from math.teaser.net (math.teaser.net [213.91.2.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 787A443EDA for ; Mon, 25 Nov 2002 08:47:39 -0800 (PST) (envelope-from e-masson@kisoft-services.com) Received: from notbsdems.nantes.kisoft-services.com (nantes.kisoft-services.com [193.56.60.243]) by math.teaser.net (Postfix) with ESMTP id B01BB6C810; Mon, 25 Nov 2002 17:47:23 +0100 (CET) Received: by notbsdems.nantes.kisoft-services.com (Postfix, from userid 1001) id 333DD5A251; Mon, 25 Nov 2002 17:46:48 +0100 (CET) To: Ari Suutari Cc: greg.panula@dolaninformation.com, David Kelly , FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? References: <200211142157.57459.dkelly@HiWAAY.net> <3DD4F4D1.83C77B0@dolaninformation.com> <200211180854.29349.ari.suutari@syncrontech.com> From: Eric Masson In-Reply-To: <200211180854.29349.ari.suutari@syncrontech.com> (Ari Suutari's message of "Mon, 18 Nov 2002 08:54:29 +0200") X-Operating-System: FreeBSD 4.7-STABLE i386 Date: Mon, 25 Nov 2002 17:46:47 +0100 Message-ID: <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> User-Agent: Gnus/5.090008 (Oort Gnus v0.08) XEmacs/21.4 (Common Lisp, i386--freebsd) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >>>>> "Ari" == Ari Suutari writes: Ari> This means that packets decapsulated from ipsec packets are Ari> passed again to ipfw rule processing. Things used to be like this Ari> some releases ago. Ok, I use ipf + ipsec tunnel on a tun (pppoe) interface here. Ari> Although this might break some rulesets I like it since it gives Ari> better security for some of my cases. In my case, the lan joined by the vpn use rfc1918 adresses, and if I want the vpn traffic to flow correctly, I must invalidate incoming rfc1918 address checking on the external firewall interface. I don't think it increases security ;) So Is there any fix floating around or is this definitely the right behaviour ? Eric Masson -- Discuter tranquillement avec Michel Guillou??? Je n'ai JAMAIS vu quelqu'un de plus *facho* que ce type. C'est écoeurant. -+- Rocou In GNU - T'as l'adresse des FFL, c'est pour écrire -+- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message