From owner-freebsd-security  Wed Mar  6  3:52:27 2002
Delivered-To: freebsd-security@freebsd.org
Received: from relay2.agava.net.ru (ofc.agava.net [217.106.235.141])
	by hub.freebsd.org (Postfix) with ESMTP
	id 08C7137B417; Wed,  6 Mar 2002 03:52:21 -0800 (PST)
Received: from hellbell.domain (hellbell.domain [192.168.1.12])
	by relay2.agava.net.ru (Postfix) with ESMTP
	id D163566BC8; Wed,  6 Mar 2002 14:52:18 +0300 (MSK)
Received: from localhost (localhost [127.0.0.1])
	by hellbell.domain (Postfix) with ESMTP
	id AEA69CD23; Wed,  6 Mar 2002 14:52:18 +0300 (MSK)
Date: Wed, 6 Mar 2002 14:52:18 +0300 (MSK)
From: Alexey Zakirov <frank@agava.com>
X-X-Sender:  <frank@hellbell.domain>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: "Dalin S. Owen" <dowen@pstis.com>, <freebsd-security@FreeBSD.ORG>
Subject: Re: ESP + IPFW
In-Reply-To: <20020304212850.M87533@blossom.cjclark.org>
Message-ID: <Pine.BSF.4.32.0203061446500.39214-100000@hellbell.domain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 4 Mar 2002, Crist J. Clark wrote:

> > #workstation
> > ipfw add 10 allow esp from any to any
> >
> > Now, everything works fine.  But I would like to be able to firewall the
> > packets *after* they are translated by IPSec (ESP)  with IPFW?  How would I
> > do that?  They seem to only pass into IPFW once, not twice..  Can you run IPF
> > with IPFW to do it, and in that case which firewalling system gets matched
> > first?
>
> Yep. They go through ipfw(8) once. If you run ipf(8), they go through
> ipf(8) then ipfw(8)... once.

You _can't_ fliter packets "*after* they are translated by IPSec". It's
because of the change in ip_input.c which happened about summer. This is a
patch that I have to apply to the most of my natd/gateways machines to get
NAT work:
=======================================================================
--- ip_input.c.orig     Thu Jan 17 20:32:21 2002
+++ ip_input.c  Thu Jan 17 20:32:58 2002
@@ -391,10 +391,12 @@
                        m_adj(m, ip->ip_len - m->m_pkthdr.len);
        }

+/* XXX breaks tunnels/nat/etc
 #ifdef IPSEC
        if (ipsec_gethist(m, NULL))
                goto pass;
 #endif
+*/

        /*
         * IpHack's section.
=======================================================================


*** WBR, Alexey Zakirov (frank@agava.com)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message