From owner-freebsd-security@FreeBSD.ORG Wed May 28 13:44:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9158837B401 for ; Wed, 28 May 2003 13:44:17 -0700 (PDT) Received: from saul.cis.upenn.edu (SAUL.CIS.UPENN.EDU [158.130.12.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE66643F75 for ; Wed, 28 May 2003 13:44:16 -0700 (PDT) (envelope-from agoodloe@saul.cis.upenn.edu) Received: from saul.cis.upenn.edu (localhost [127.0.0.1]) by saul.cis.upenn.edu (8.12.9/8.12.9) with ESMTP id h4SKiFmV022403 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 28 May 2003 16:44:15 -0400 (EDT) Received: from localhost (agoodloe@localhost)h4SKiFYR022398 for ; Wed, 28 May 2003 16:44:15 -0400 (EDT) Date: Wed, 28 May 2003 16:44:14 -0400 (EDT) From: Alwyn Goodloe To: freebsd-security@FreeBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: IP SEC filtering issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 20:44:17 -0000 First thing to note is that I am using FreeBSD 4.8 . We would like to send only the syn packet of a tcp connection through certain ipsec tunnels and the rest of the packets in a connection though a simple transport mode setup. Yeah, I know it's strange but what can I say -- we do a lot of strange things. From the best I can tell, the setkey/spadd filtering capability isn't sophisticated enough to detect syn packets. Since ipfw does do this sort of thing we can use this to filter out the syn packet and using divert sockets (we have a lot of experience at writing divert sockets) we can put a wrapper around it so that it goes to a particular port. Since ip sec can filter on ports, we can just filter that out. The process should look something like: syn ---> diverted and wrapped to head for port X ----> ipsec filters on port X sends it into tunnel ......... ........... ipsec does its thing ---> divert socket unwraps ---> sends the packet on its way (not passing though ip sec again). The divert socket solution seems to work fine on the sending side, but there seems to be problems on the receiving side. I suspect that ipfw is looking at the packet before ipsec or some such thing. I know that there were postings about the interaction of ipfw and ipsec and that some of these were going to be fixed in 4.8. If any of you know of a way to get ipsec to filter on syn packets let me know. If you have ever tried to get divert sockets and ip sec working at the same time let me know the secret. I suspect I'm just going to have to hack the ipsec filter to get it to filter on syn packets. Any ideas as to how hard this will be Alwyn Goodloe agoodloe@saul.cis.upenn.edu