From owner-freebsd-security@FreeBSD.ORG Fri May 30 12:53:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B076C37B401 for ; Fri, 30 May 2003 12:53:21 -0700 (PDT) Received: from mail.npubs.com (mail.npubs.com [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E95B43FB1 for ; Fri, 30 May 2003 12:53:19 -0700 (PDT) (envelope-from nielsen@memberwebs.com) Resent-Message-Id: From: "Nielsen" To: "Alwyn Goodloe" , References: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20030530195629.2282B3FF312@mail.npubs.com> Resent-Date: Fri, 30 May 2003 19:56:30 +0000 (GMT) Resent-From: nielsen@memberwebs.com (Postfix Filters) Subject: Re: IP SEC filtering issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Fri, 30 May 2003 19:53:22 -0000 X-List-Received-Date: Fri, 30 May 2003 19:53:22 -0000 >From experience I've found you have to break these things up on different machines. I don't have an intimate knowledge of how and when the IPSEC processing gets done it the kernel, and maybe if someone did they could figure out how and if you could do all of this on single machines. But in our case, we break down the tasks between machines (traffic splitter, ipsec processing, etc...) and it works like a charm. It's also *much* easier to figure out what's wrong, heh. The machines don't have to be powerful. Nate ----- Original Message ----- From: "Alwyn Goodloe" To: Sent: Wednesday, May 28, 2003 14:44 Subject: IP SEC filtering issue > First thing to note is that I am using FreeBSD 4.8 . > > We would like to send only the syn packet of a tcp connection through > certain ipsec tunnels and the rest of the packets in a connection though > a simple transport mode setup. Yeah, I know it's strange but what can I > say -- we do a lot of strange things. From the best I can tell, the > setkey/spadd filtering capability isn't sophisticated enough to detect > syn packets. Since ipfw does do this sort of thing we can use this to > filter out the syn packet and using divert sockets (we have a lot of > experience at writing divert sockets) we can put a wrapper > around it so that it goes to a particular port. Since ip sec can filter on > ports, we can just filter that out. The process should look something > like: > > > > syn ---> diverted and wrapped to head for port X ----> > ipsec filters on port X sends it into tunnel ......... > > > ........... ipsec does its thing ---> divert socket unwraps ---> sends > the packet on its way (not passing though ip sec again). > > > > The divert socket solution seems to work fine on the sending side, but > there seems to be problems on the receiving side. I suspect that ipfw is > looking at the packet before ipsec or some such thing. I know that there > were postings about the interaction of ipfw and ipsec and that some of > these were going to be fixed in 4.8. > > If any of you know of a way to get ipsec to filter on syn packets let me > know. If you have ever tried to get divert sockets and ip sec working at > the same time let me know the secret. I suspect I'm just going to have > to hack the ipsec filter to get it to filter on syn packets. Any ideas as > to how hard this will be > > > Alwyn Goodloe > > agoodloe@saul.cis.upenn.edu > > > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"