Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Apr 2001 10:00:36 +0100
From:      Rasputin <rara.rasputin@virgin.net>
To:        security@freebsd.org
Subject:   Re: Interaction between ipfw, IPSEC and natd
Message-ID:  <20010411100036.B63302@dogma.freebsd-uk.eu.org>
In-Reply-To: <20010410181407.A1011@linnet.org>; from B.Candler@pobox.com on Tue, Apr 10, 2001 at 06:14:07PM %2B0100
References:  <20010410181407.A1011@linnet.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
* Brian Candler <B.Candler@pobox.com> [010410 18:15]:
> Is there any documentation on how ipfw, natd and IPSEC interact with each
> other? In particular,
> - what is the order of processing of inbound and outbound packets?
> - when packets are re-injected by natd, where in the whole system are they
>   re-injected?
> - do packets reinjected by natd still match 'in via <interface>' or
>   'out via <interface>'?  (OK, I could determine this one experimentally,
>   but I'd still like to see it documented :-)
> 
> I see that by default FreeBSD puts its natd divert rule right at the very
> top of the ruleset, but I have found that this stops IPSEC processing
> working. I can make it work by putting natd lower down: e.g.
> 
> add 01000 permit ip from 10.0.0.0/8 to 10.0.0.0/8   # private addrs
> add 02000 divert 8668 ip from any to any via xl0    # external i/face

Does anybody know if ipfilter has similar problems with IPSec?
I saw a thread in the NetBSD mail archives that indicated this, but it was
around a year old.

And if anyone knows where I can get free IPSec clients for Mac (OS9.x)
I'll send them a packet of chocolate HobNobs. Chocolate- Mmm....

(URL would be good. There's supposed to be one somewhere in the rat's nest that
is http://www.nai.com, but a friend of mine went looking last week and we
never saw him again.)
-- 
Rasputin
Jack of All Trades :: Master of Nuns

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010411100036.B63302>