From owner-freebsd-net Fri May 3 22:20:15 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 9B77837B41D for ; Fri, 3 May 2002 22:20:06 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020504052006.EKWO2627.rwcrmhc54.attbi.com@InterJet.elischer.org>; Sat, 4 May 2002 05:20:06 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id WAA85889; Fri, 3 May 2002 22:10:57 -0700 (PDT) Date: Fri, 3 May 2002 22:10:56 -0700 (PDT) From: Julian Elischer To: Ben Jackson Cc: freebsd-net@freebsd.org Subject: Re: ip_output: why IPSEC before IPF/IPFW? In-Reply-To: <20020504031703.GA2184@pulsar.home.ben.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for bringing this up.. I'm actually flabberghasted that it's so. I've been assuming it was the other way around. The advantage of having it the other way would be to be able to do other evil things to ipsec packets, but as it is you can totally block all packets and ipsec will still work.. but that's certainly not POLA.. because we tell teh world that the ipfw works on ALL packets. I'd vote to reverse it... On Fri, 3 May 2002, Ben Jackson wrote: > I have a FreeBSD box connected to my cable modem which NATs for the rest > of my home network. Recently I set up IPSEC between that box and a few > others as an experiment. Direct connections between these boxes work fine. > > However, since ip_output checks IPSEC before IPF/IPFW, my ipnat rules > for the inside hosts are not applied until after the IPSEC check. Since > they don't match the IPSEC rule (which is point-to-point, using transport > mode) they fall through, get rewritten by ipnat into packets which WOULD > match the SAD, and then sent directly. The far end rejects them because > its policy is "require" ESP. > > Obviously this would work if I had *two* FreeBSD boxes, and had the > "outermost" one handle only IPSEC and the "inner" one do IPF, but wouldn't > it be easier to just move the IPSEC test below IPF/IPFW? > > ip_input would also have to change, but it's already in the right order, > it just skips the IPF/IPFW section in the event of IPSEC traffic. > > Please CC me on the reply, I'm not on the list. Thanks. > > -- > Ben Jackson > > http://www.ben.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message