From owner-freebsd-net Fri Dec 1 6:25:43 2000 Delivered-To: freebsd-net@freebsd.org Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by hub.freebsd.org (Postfix) with ESMTP id 4101337B400 for ; Fri, 1 Dec 2000 06:25:40 -0800 (PST) Received: from coffee (adsl-nat.syncrontech.com [213.28.98.3]) by osku.suutari.iki.fi (8.9.3/8.9.3) with SMTP id QAA70071 for ; Fri, 1 Dec 2000 16:25:38 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <006901c05ba2$93d715b0$0e05a8c0@intranet.syncrontech.com> From: "Ari Suutari" To: Subject: Re: filtering ipsec traffic (fwd) Date: Fri, 1 Dec 2000 16:25:38 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > > So far, just one limitation comes to mind, which is that the packet > filters cannot discriminate between a naturally non-IPsec packet, and a > non-IPsec packet which 'was' or 'will be' an IPsec one. I don't think > this is a big problem though. > But what if we are running in IPsec tunnel mode ? For example, I could use an IPsec tunnel to connect two 192.168.x.x networks together. In such setup, I would allow IPsec packets between tunnel endpoints and packets between 192.168.x.x networks but *only* if they are coming from the tunnel. Last time I tried that adding on 'ipfw pass any from 192.168.x.x .....' also allowed non-ipsec traffic between these nodes. This is a security hole, which allows someone to send packets with spoofed source address to your system. Ari S. -- Ari Suutari Lemi, Finland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message