Date: Fri, 3 May 2002 22:10:56 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: Ben Jackson <ben@ben.com> Cc: freebsd-net@freebsd.org Subject: Re: ip_output: why IPSEC before IPF/IPFW? Message-ID: <Pine.BSF.4.21.0205032207040.85737-100000@InterJet.elischer.org> In-Reply-To: <20020504031703.GA2184@pulsar.home.ben.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for bringing this up.. I'm actually flabberghasted that it's so. I've been assuming it was the other way around. The advantage of having it the other way would be to be able to do other evil things to ipsec packets, but as it is you can totally block all packets and ipsec will still work.. but that's certainly not POLA.. because we tell teh world that the ipfw works on ALL packets. I'd vote to reverse it... On Fri, 3 May 2002, Ben Jackson wrote: > I have a FreeBSD box connected to my cable modem which NATs for the rest > of my home network. Recently I set up IPSEC between that box and a few > others as an experiment. Direct connections between these boxes work fine. > > However, since ip_output checks IPSEC before IPF/IPFW, my ipnat rules > for the inside hosts are not applied until after the IPSEC check. Since > they don't match the IPSEC rule (which is point-to-point, using transport > mode) they fall through, get rewritten by ipnat into packets which WOULD > match the SAD, and then sent directly. The far end rejects them because > its policy is "require" ESP. > > Obviously this would work if I had *two* FreeBSD boxes, and had the > "outermost" one handle only IPSEC and the "inner" one do IPF, but wouldn't > it be easier to just move the IPSEC test below IPF/IPFW? > > ip_input would also have to change, but it's already in the right order, > it just skips the IPF/IPFW section in the event of IPSEC traffic. > > Please CC me on the reply, I'm not on the list. Thanks. > > -- > Ben Jackson > <ben@ben.com> > http://www.ben.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0205032207040.85737-100000>