From owner-freebsd-security@FreeBSD.ORG Thu Jun 12 11:41:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 561DF37B401 for ; Thu, 12 Jun 2003 11:41:36 -0700 (PDT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8960443FAF for ; Thu, 12 Jun 2003 11:41:34 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])h5CIfVJ13033 for ; Thu, 12 Jun 2003 20:41:32 +0200 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id D54D25F9; Thu, 12 Jun 2003 20:41:24 +0200 (CEST) Date: Thu, 12 Jun 2003 20:41:24 +0200 To: freebsd-security@FreeBSD.ORG Message-ID: <20030612184124.GD26930@lupe-christoph.de> References: <20030607111540.GC4812@lupe-christoph.de> <20030610230744.GD44069@blossom.cjclark.org> <20030612132138.A26888@shell.gsinet.sittig.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030612132138.A26888@shell.gsinet.sittig.org> User-Agent: Mutt/1.5.4i From: lupe@lupe-christoph.de (Lupe Christoph) Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 18:41:36 -0000 On Thursday, 2003-06-12 at 13:21:38 +0200, Gerhard Sittig wrote: > In this scenario (would I be in the situation to have to filter > this traffic:) I would wish for some flag or "handle" to recognize > the different times the packet runs through the filter. There is > quite a hugh difference between "letting ESP/AH in at fxp0 and > accept IPv4 -- maybe RFC1918 adresses -- from this tunnel (but > not otherwise)" and "letting ESP/AH as well as IPv4 in at fxp0". > Not wanting or having to extend the established filter syntax or > the programming interface already laid out almost naturely makes > the "interface" property of a packet one such handle. I've used ipsec0 on Linux for similar purposes, and I would like to see an IPSec interface in FreeBSD as well. As I said, I could not get GIF to work with FreeS/WAN, so I'm stuck with the current interface-deprived IPSec implementation. But at least (and at last!) I can use IPFilter rules for IPSec traffic, thanks to Crist's suggestion. Since I just want to prohibit traffic to "this host", that's enough for me. Thank you all, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |