From owner-freebsd-bugs@FreeBSD.ORG Sat Dec 10 11:10:05 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 768F616A41F for ; Sat, 10 Dec 2005 11:10:05 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96D3443D69 for ; Sat, 10 Dec 2005 11:10:03 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id jBABA3AF073326 for ; Sat, 10 Dec 2005 11:10:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id jBABA346073325; Sat, 10 Dec 2005 11:10:03 GMT (envelope-from gnats) Resent-Date: Sat, 10 Dec 2005 11:10:03 GMT Resent-Message-Id: <200512101110.jBABA346073325@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Yuriy Tsibizov Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9440A16A41F for ; Sat, 10 Dec 2005 11:06:55 +0000 (GMT) (envelope-from root@gfk.ru) Received: from md.gfk.ru (md.f231.gfk.ru [84.21.231.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id A58C243D66 for ; Sat, 10 Dec 2005 11:06:53 +0000 (GMT) (envelope-from root@gfk.ru) Received: from free.home.local ([10.0.6.45]) by md.gfk.ru (md.gfk.ru [84.21.231.130]) (MDaemon.PRO.v6.8.5.R) with ESMTP id 7-md50000000023.tmp for ; Sat, 10 Dec 2005 14:06:38 +0300 Received: from free.home.local (localhost [127.0.0.1]) by free.home.local (8.13.4/8.13.4) with ESMTP id jBAB6IIX001195; Sat, 10 Dec 2005 14:06:20 +0300 (MSK) (envelope-from root@gfk.ru) Received: (from root@localhost) by free.home.local (8.13.4/8.13.4/Submit) id jBAB1mPB001098; Sat, 10 Dec 2005 14:01:48 +0300 (MSK) (envelope-from root) Message-Id: <200512101101.jBAB1mPB001098@free.home.local> Date: Sat, 10 Dec 2005 14:01:48 +0300 (MSK) From: Yuriy Tsibizov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Yuriy Tsibizov Subject: kern/90181: IPSEC_FILTERGIF documentation is incomplete X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Yuriy Tsibizov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2005 11:10:05 -0000 >Number: 90181 >Category: kern >Synopsis: IPSEC_FILTERGIF documentation is incomplete >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 10 11:10:03 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Yuriy Tsibizov >Release: FreeBSD 7.0-CURRENT i386 >Organization: >Environment: System: FreeBSD free.home.local 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Sat Dec 10 12:16:33 MSK 2005 chibis@free.home.local:/usr/obj/usr/src/sys/FREE-IPSEC i386 >Description: /usr/src/sys/conf/NOTES does not document all consequences of adding IPSEC_FILTERGIF to kernel configuration. It decribes that this option only affects decrypted packets coming from IPSec-encrypted gif tunnel. In reality it will also allow filtering of all decryped IPSec data (like transport mode ESP tunnels). ipfw "ipsec" option also work for all decrypted packets, if this kernel option is enabled. >How-To-Repeat: I can't check it on real network, only on loopback (lo0). (kernel configuration: options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_FILTERGIF #filter ipsec packets from a tunnel options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity ) 1. Add IPSEC configuration for lo0 interface: setkey flush; setkey add 127.0.0.1 127.0.0.1 esp 0x1001 -E des-cbc 0x0000000000000001; setkey 127.0.0.1/32 127.0.0.1/32 any -P out ipsec esp/tunnel/127.0.0.1-127.0.0.1/require; setkey 127.0.0.1/32 127.0.0.1/32 any -P in ipsec esp/tunnel/127.0.0.1-127.0.0.1/require; 2. Add IPFW configuration: ipfw flush ipfw add allow log logamount 100 esp from any to any ipfw add deny log logamount 100 ip from any to any 3. Ping localhost 4. Look into security log, you will get Dec 10 12:25:15 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 out via lo0 Dec 10 12:25:15 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 in via lo0 Dec 10 12:25:15 free kernel: ipfw: 200 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0 5. Change IPFW configuration: ipfw flush ipfw add allow log logamount 100 esp from any to any ipfw add allow log logamount 100 ip from any to any ipsec ipfw add deny log logamount 100 ip from any to any 6. Ping localhost 7. You will get Dec 10 12:32:36 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 out via lo0 Dec 10 12:32:36 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 in via lo0 Dec 10 12:32:36 free kernel: ipfw: 200 Accept ICMP:0.0 127.0.0.1 127.0.0.1 in via lo0 in your seurity log. >Fix: Update NOTES: # # Set IPSEC_FILTERGIF to force packets coming from IPSec # to be processed by any configured packet filtering (ipfw, ipf). # The default is that these packets are _not_ processed; # they are assumed trusted. # # IPSEC history is preserved for such packets, and can be filtered # using ipfw(8)'s 'ipsec' keyword, when this option is enabled. # >Release-Note: >Audit-Trail: >Unformatted: