From owner-freebsd-security@FreeBSD.ORG Fri Jun 13 14:58:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1101E37B401 for ; Fri, 13 Jun 2003 14:58:13 -0700 (PDT) Received: from hysteria.spc.org (hysteria.spc.org [195.206.69.234]) by mx1.FreeBSD.org (Postfix) with SMTP id CCAFD43FE3 for ; Fri, 13 Jun 2003 14:58:11 -0700 (PDT) (envelope-from bms@hysteria.spc.org) Received: (qmail 9895 invoked by uid 5013); 13 Jun 2003 00:10:10 -0000 Date: Fri, 13 Jun 2003 01:10:10 +0100 From: Bruce M Simpson To: Justin Message-ID: <20030613001010.GA9463@spc.org> Mail-Followup-To: Bruce M Simpson , Justin , Lupe Christoph , freebsd-security@FreeBSD.ORG References: <20030607111540.GC4812@lupe-christoph.de> <20030612132138.A26888@shell.gsinet.sittig.org> <20030612184124.GD26930@lupe-christoph.de> <20030612180120.B54558@ike.othius.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030612180120.B54558@ike.othius.com> User-Agent: Mutt/1.4.1i cc: freebsd-security@FreeBSD.ORG Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2003 21:58:13 -0000 There's a hack for this in -CURRENT: # # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). # The default is that packets coming from a tunnel are _not_ processed; # they are assumed trusted. # # Note that enabling this can be problematic as there are no mechanisms # in place for distinguishing packets coming out of a tunnel (e.g. no # encX devices as found on openbsd). # #options IPSEC_FILTERGIF #filter ipsec packets from a tunnel BMS