From owner-freebsd-security Wed Mar 21 11:41:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id B22DD37B77E for ; Wed, 21 Mar 2001 11:41:03 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id EAA10520; Thu, 22 Mar 2001 04:10:30 +0900 (JST) To: Mike Harding Cc: freebsd-security@freebsd.org In-reply-to: mvh's message of Wed, 21 Mar 2001 08:36:57 PST. <20010321163657.D0333113CB1@netcom1.netcom.com> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: itojun@iijlab.net Date: Thu, 22 Mar 2001 04:10:29 +0900 Message-ID: <10518.985201829@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >My modest proposal would be to have a sysctl variable to indicate an >alternate interface to reinject the decrypted packets (like a local >loopback, the default or maybe a new one, lo1). Then you know that >anything coming in that interface was inserted by the KAME stack and >you can apply filtering to it. This would allow firewall and IPSEC >gateway functionality to be put into the same box. strong no to changing m->m_pkthdr.rcvif on IPsec tunnel operations. that behavior will kill scoped addresses, as well as recently- discussed-to-death strong host model node. see latest NetBSD source code tree, and the following URL, on how we handled it (now ipfilter looks at wire format packet only). i have no environment/time to do the same on freebsd, but i can say that the foundations are there in kame and netbsd tree. (you can check if the packet went throught ip sec on inbound, by using ipsec_gethist()) http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message