From owner-freebsd-stable@FreeBSD.ORG Sun May 11 15:08:22 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D136337B41B for ; Sun, 11 May 2003 15:08:22 -0700 (PDT) Received: from oja.braithwaite.net (foobar24.dsl.alink.net [207.135.75.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28F3643F3F for ; Sun, 11 May 2003 15:08:22 -0700 (PDT) (envelope-from matt@braithwaite.net) Received: from dogberry.braithwaite.net (foobar18.dsl.alink.net [207.135.75.18]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (verified OK)) by oja.braithwaite.net (Postfix) with ESMTP id F066093; Sun, 11 May 2003 15:08:20 -0700 (PDT) Received: by dogberry.braithwaite.net (Postfix, from userid 1001) id 771395294; Sun, 11 May 2003 15:08:18 -0700 (PDT) From: Matthew Braithwaite To: "Sam Leffler" References: <1a5401c2db63$945db690$52557f42@errno.com> Date: Sun, 11 May 2003 15:08:18 -0700 In-Reply-To: <1a5401c2db63$945db690$52557f42@errno.com> ("Sam Leffler"'s message of "Sun, 23 Feb 2003 09:47:05 -0800") Message-ID: <86llxdb0h9.fsf@limekiller.braithwaite.net> User-Agent: Gnus/5.090015 (Oort Gnus v0.15) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: stable@freebsd.org cc: matt@braithwaite.net Subject: Re: iHEADS UP: ipsec packet filtering change X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 May 2003 22:08:23 -0000 On Sun, 23 Feb 2003 09:47:05 -0800, "Sam Leffler" said: > >> Add a new config option IPSEC_FILTERGIF to control whether or not >> packets coming out of a GIF tunnel are re-processed by ipfw, >> et. al. By default they are not reprocessed. With the option they >> are. > > This may affect your ipfw/ipf rules. If you are happy with the > current behaviour then add IPSEC_FILTERGIF to your kernel config > file. I'm sure this was discussed to death somewhere, since it's a reversion of an earlier change, but just to beat a dead horse ... I encountered this change in a surprising way: Being new to IPSec, I started by setting up a gif tunnel (without IPSec) between my singly-homed host, fred, running FreeBSD: ep0 192.168.0.2/24 gif0 ${mynet}.27 -> ${mynet}.17 tunnel 192.168.0.2 -> 192.168.0.1 and a dual-homed host, bob, running NetBSD: tlp0 ${mynet}.24/28 tlp1 192.168.0.1/24 gif0 ${mynet}.24 -> ${mynet}.27 tunnel 192.168.0.1 -> 192.168.0.2 I did this so I could test the tunneling and the firewalling, and then introduce IPSec after I knew all that was working. Fred's firewall at this point would pass only ipencap packets over ep0, and I filtered the untunneled traffic on gif0. That worked just fine; fred's firewall saw both incoming and outgoing traffic on gif0 and filtered it. But then I turned on IPSec AH between 192.168.0.1 and 192.168.0.2, and changed fred's firewall to pass ah instead of ipencap on ep0. When I made this change, fred's firewall continued seeing outbound packets on gif0, but stopped seeing inbound packets. The inbound packets on gif0 started bypassing the firewall entirely! Setting IPSEC_FILTERGIF fixed this, of course. But it seemed (and still seems) quite unintuitive: why should the presence or absence of IPSec over a tunnel determine whether firewall rules get applied? And what sense does it make to firewall outbound packets on gif0 but not incoming packets? I'm sure it makes sense from some perspective; I just wanted to contribute my confused little experience. :-)