From owner-freebsd-net  Fri May  3 20:17:12 2002
Delivered-To: freebsd-net@freebsd.org
Received: from saturn.home.ben.com (12-224-234-131.client.attbi.com [12.224.234.131])
	by hub.freebsd.org (Postfix) with ESMTP id 4093737B404
	for <freebsd-net@freebsd.org>; Fri,  3 May 2002 20:17:09 -0700 (PDT)
Received: from pulsar.home.ben.com (pulsar.home.ben.com [172.17.42.9])
	by saturn.home.ben.com (8.12.3/8.12.3) with ESMTP id g443H52D004168
	for <freebsd-net@freebsd.org>; Fri, 3 May 2002 20:17:06 -0700 (PDT)
Received: (from bjj@localhost) by pulsar.home.ben.com (8.11.6/8.6.12) id g443H3c02194 for freebsd-net@freebsd.org; Fri, 3 May 2002 20:17:03 -0700 (PDT)
Date: Fri, 3 May 2002 20:17:03 -0700
From: Ben Jackson <ben@ben.com>
To: freebsd-net@freebsd.org
Subject: ip_output: why IPSEC before IPF/IPFW?
Message-ID: <20020504031703.GA2184@pulsar.home.ben.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

I have a FreeBSD box connected to my cable modem which NATs for the rest
of my home network.  Recently I set up IPSEC between that box and a few
others as an experiment.  Direct connections between these boxes work fine.

However, since ip_output checks IPSEC before IPF/IPFW, my ipnat rules
for the inside hosts are not applied until after the IPSEC check.  Since
they don't match the IPSEC rule (which is point-to-point, using transport
mode) they fall through, get rewritten by ipnat into packets which WOULD
match the SAD, and then sent directly.  The far end rejects them because
its policy is "require" ESP.

Obviously this would work if I had *two* FreeBSD boxes, and had the
"outermost" one handle only IPSEC and the "inner" one do IPF, but wouldn't
it be easier to just move the IPSEC test below IPF/IPFW?

ip_input would also have to change, but it's already in the right order,
it just skips the IPF/IPFW section in the event of IPSEC traffic.

Please CC me on the reply, I'm not on the list.  Thanks.

-- 
Ben Jackson
<ben@ben.com>
http://www.ben.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message