Date: Sun, 11 May 2003 15:08:18 -0700 From: Matthew Braithwaite <matt-lists@braithwaite.net> To: "Sam Leffler" <sam@errno.com> Cc: matt@braithwaite.net Subject: Re: iHEADS UP: ipsec packet filtering change Message-ID: <86llxdb0h9.fsf@limekiller.braithwaite.net> In-Reply-To: <1a5401c2db63$945db690$52557f42@errno.com> ("Sam Leffler"'s message of "Sun, 23 Feb 2003 09:47:05 -0800") References: <1a5401c2db63$945db690$52557f42@errno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Feb 2003 09:47:05 -0800, "Sam Leffler" <sam@errno.com> said:
>
>> Add a new config option IPSEC_FILTERGIF to control whether or not
>> packets coming out of a GIF tunnel are re-processed by ipfw,
>> et. al. By default they are not reprocessed. With the option they
>> are.
>
> This may affect your ipfw/ipf rules. If you are happy with the
> current behaviour then add IPSEC_FILTERGIF to your kernel config
> file.
I'm sure this was discussed to death somewhere, since it's a reversion
of an earlier change, but just to beat a dead horse ... I encountered
this change in a surprising way:
Being new to IPSec, I started by setting up a gif tunnel (without
IPSec) between my singly-homed host, fred, running FreeBSD:
ep0 192.168.0.2/24
gif0 ${mynet}.27 -> ${mynet}.17
tunnel 192.168.0.2 -> 192.168.0.1
and a dual-homed host, bob, running NetBSD:
tlp0 ${mynet}.24/28
tlp1 192.168.0.1/24
gif0 ${mynet}.24 -> ${mynet}.27
tunnel 192.168.0.1 -> 192.168.0.2
I did this so I could test the tunneling and the firewalling, and then
introduce IPSec after I knew all that was working. Fred's firewall at
this point would pass only ipencap packets over ep0, and I filtered
the untunneled traffic on gif0. That worked just fine; fred's
firewall saw both incoming and outgoing traffic on gif0 and filtered
it.
But then I turned on IPSec AH between 192.168.0.1 and 192.168.0.2, and
changed fred's firewall to pass ah instead of ipencap on ep0. When I
made this change, fred's firewall continued seeing outbound packets on
gif0, but stopped seeing inbound packets. The inbound packets on gif0
started bypassing the firewall entirely!
Setting IPSEC_FILTERGIF fixed this, of course. But it seemed (and
still seems) quite unintuitive: why should the presence or absence of
IPSec over a tunnel determine whether firewall rules get applied? And
what sense does it make to firewall outbound packets on gif0 but not
incoming packets?
I'm sure it makes sense from some perspective; I just wanted to
contribute my confused little experience. :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86llxdb0h9.fsf>