From owner-freebsd-net  Tue Jan 15  4:32:45 2002
Delivered-To: freebsd-net@freebsd.org
Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19])
	by hub.freebsd.org (Postfix) with ESMTP id 787B737B419
	for <net@FreeBSD.ORG>; Tue, 15 Jan 2002 04:32:39 -0800 (PST)
Received: from there (coffee.syncrontech.com [62.71.8.37])
	by guinness.syncrontech.com (8.11.1/8.11.1) with SMTP id g0FCDbw92015;
	Tue, 15 Jan 2002 14:13:38 +0200 (EET)
	(envelope-from ari.suutari@syncrontech.com)
Message-Id: <200201151213.g0FCDbw92015@guinness.syncrontech.com>
Content-Type: text/plain;
  charset="iso-8859-1"
From: Ari Suutari <ari.suutari@syncrontech.com>
To: Alex Le Heux <alexlh@funk.org>
Subject: Re: Filtering packets received through an ipsec tunnel
Date: Tue, 15 Jan 2002 14:22:17 +0200
X-Mailer: KMail [version 1.3.2]
Cc: Rene de Vries <rene@canyon.xs4all.nl>,
	Kshitij Gunjikar <kshitijgunjikar@yahoo.com>, net@FreeBSD.ORG
References: <E4E6F464-0917-11D6-AC08-00039357FA7A@canyon.xs4all.nl> <200201150733.g0F7Xww91320@guinness.syncrontech.com> <20020115121821.GU75815@funk.org>
In-Reply-To: <20020115121821.GU75815@funk.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hi,

On Tuesday 15 January 2002 14:18, Alex Le Heux wrote:
>  
> > 	Maybe one could remove this, add 'ipsec' flag to ipfw 
> > 	(which would use the above ipsec_gethist to match it)
> > 	so the syntax would be something like this:
> > 
> > 	ipfw add pass tcp from a to b ipsec setup # matches only packets that 
came 
> > via ipsec stack
> > 	ipfw add pass 50 from a to b # matches packets that didn't come via ipsec
> 
> [snip]
> 
> This looks like it would work for most situations.
> 
> What one would not be able to do this way is prevent spoofing. In an ideal
> world I would also want to filter packets that come from the wrong tunnel.

	But doesn't ipsec stack already take care of this ? I think (hope)
	that is doesn't process the packet if it is coming from wrong tunnel
	because the packet does not match the policy.

		Ari S.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message