Date: Fri, 3 May 2002 20:17:03 -0700 From: Ben Jackson <ben@ben.com> To: freebsd-net@freebsd.org Subject: ip_output: why IPSEC before IPF/IPFW? Message-ID: <20020504031703.GA2184@pulsar.home.ben.com>
next in thread | raw e-mail | index | archive | help
I have a FreeBSD box connected to my cable modem which NATs for the rest of my home network. Recently I set up IPSEC between that box and a few others as an experiment. Direct connections between these boxes work fine. However, since ip_output checks IPSEC before IPF/IPFW, my ipnat rules for the inside hosts are not applied until after the IPSEC check. Since they don't match the IPSEC rule (which is point-to-point, using transport mode) they fall through, get rewritten by ipnat into packets which WOULD match the SAD, and then sent directly. The far end rejects them because its policy is "require" ESP. Obviously this would work if I had *two* FreeBSD boxes, and had the "outermost" one handle only IPSEC and the "inner" one do IPF, but wouldn't it be easier to just move the IPSEC test below IPF/IPFW? ip_input would also have to change, but it's already in the right order, it just skips the IPF/IPFW section in the event of IPSEC traffic. Please CC me on the reply, I'm not on the list. Thanks. -- Ben Jackson <ben@ben.com> http://www.ben.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020504031703.GA2184>