Date: Mon, 10 Feb 2003 15:16:19 -0500 (EST) From: Andriy Gapon <agapon@cv-nj.com> To: "Jacques A. Vidrine" <nectar@FreeBSD.org> Cc: freebsd-security@FreeBSD.org Subject: Re: ipsec & ipfw: 4.7-release vs -stable Message-ID: <20030210150116.R53750@edge.foundation.invalid> In-Reply-To: <20030210192207.GC5292@opus.celabo.org> References: <20030210114213.P53494@edge.foundation.invalid> <20030210192207.GC5292@opus.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Feb 2003, Jacques A. Vidrine wrote: > What is the problem you are having, exactly? What is the `potential > security vulnaribity'? Jacques, maybe this is not a 'security vulnaribity' per se, there were several lengthy discussions of this problem in the past, links to mailing list archives follow. In a few words, a packet coming from an ipsec tunnel would go through ipfw twice, before and after decryption; because of that an administrator is quite restricted in filtering of incoming traffic, potentially allowing undesired traffic "masked" as decrypted traffic from an ipsec tunnel. http://docs.freebsd.org/cgi/getmsg.cgi?fetch=9204+0+archive/2003/freebsd-net/20030105.freebsd-net http://docs.freebsd.org/cgi/getmsg.cgi?fetch=582949+0+archive/2002/freebsd-stable/20021124.freebsd-stable -- Andriy Gapon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030210150116.R53750>