From owner-freebsd-security Mon Feb 10 12:16:35 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3464037B401; Mon, 10 Feb 2003 12:16:32 -0800 (PST) Received: from mta10.srv.hcvlny.cv.net (mta10.srv.hcvlny.cv.net [167.206.5.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9806443FBD; Mon, 10 Feb 2003 12:16:26 -0800 (PST) (envelope-from agapon@cv-nj.com) Received: from asv7.srv.hcvlny.cv.net (asv7.srv.hcvlny.cv.net [167.206.5.43]) by mta10.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.05 (built Nov 6 2002)) with ESMTP id <0HA4009GD0BDWL@mta10.srv.hcvlny.cv.net>; Mon, 10 Feb 2003 15:16:26 -0500 (EST) Received: from terminus.foundation.invalid (ool-4355489e.dyn.optonline.net [67.85.72.158]) by asv7.srv.hcvlny.cv.net (8.12.6/8.12.5) with ESMTP id h1AKFwNW023980; Mon, 10 Feb 2003 15:15:59 -0500 (EST) Received: from edge.foundation.invalid (edge.foundation.invalid [192.168.1.12]) by terminus.foundation.invalid (8.12.6/8.12.3) with ESMTP id h1AKGLEb043872; Mon, 10 Feb 2003 15:16:21 -0500 (EST envelope-from agapon@cv-nj.com) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.6) with ESMTP id h1AKGJWl053772; Mon, 10 Feb 2003 15:16:21 -0500 (EST envelope-from agapon@cv-nj.com) Date: Mon, 10 Feb 2003 15:16:19 -0500 (EST) From: Andriy Gapon Subject: Re: ipsec & ipfw: 4.7-release vs -stable In-reply-to: <20030210192207.GC5292@opus.celabo.org> X-X-Sender: avg@edge.foundation.invalid To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.org Message-id: <20030210150116.R53750@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT References: <20030210114213.P53494@edge.foundation.invalid> <20030210192207.GC5292@opus.celabo.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Feb 2003, Jacques A. Vidrine wrote: > What is the problem you are having, exactly? What is the `potential > security vulnaribity'? Jacques, maybe this is not a 'security vulnaribity' per se, there were several lengthy discussions of this problem in the past, links to mailing list archives follow. In a few words, a packet coming from an ipsec tunnel would go through ipfw twice, before and after decryption; because of that an administrator is quite restricted in filtering of incoming traffic, potentially allowing undesired traffic "masked" as decrypted traffic from an ipsec tunnel. http://docs.freebsd.org/cgi/getmsg.cgi?fetch=9204+0+archive/2003/freebsd-net/20030105.freebsd-net http://docs.freebsd.org/cgi/getmsg.cgi?fetch=582949+0+archive/2002/freebsd-stable/20021124.freebsd-stable -- Andriy Gapon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message