From owner-freebsd-net Mon Jan 14 3:52:25 2002 Delivered-To: freebsd-net@freebsd.org Received: from smtp012.mail.yahoo.com (smtp012.mail.yahoo.com [216.136.173.32]) by hub.freebsd.org (Postfix) with SMTP id E730E37B400 for ; Mon, 14 Jan 2002 03:52:21 -0800 (PST) Received: from unknown (HELO kshitij1) (203.124.128.243) by smtp.mail.vip.sc5.yahoo.com with SMTP; 14 Jan 2002 11:52:20 -0000 From: "Kshitij Gunjikar" To: Subject: RE: Filtering packets received through an ipsec tunnel Date: Mon, 14 Jan 2002 17:32:11 +0530 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Rene, I'm wondering why do you want to filter Secure traffic? The very fact that you have a tunnel to a place means you trust that network. Hence, why filter? What are the complex situations you have in mind? Regards Kshitij -----Original Message----- From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-net@freebsd.org]On Behalf Of Rene de Vries Sent: Sunday, January 13, 2002 10:32 PM To: net@freebsd.org Subject: Filtering packets received through an ipsec tunnel Hello, > This message was already posted to hackers@freebsd.org, but with > limited success. I'm hoping that someone on net@freebsd.org can give me > some more information. By experimenting with ipsec and looking at the source of "ip_input.c" a co-worker and I found the following out. When a ipsec tunnel packet is received this (protocol 50/51) packet is passed through ip-filter (& co). After filtering and when it has been determent that the current host is the destination (tunnel end-point), this packet is decrypted/verified. The decrypted packet is then pushed back into the queue that leads to ip_input(...). So far so good.... But once in ip_input(...) the filtering code is skipped and we were wondering why. I know that ipsec has some handles to be able to filter on address, protocol and/or port. But for more complex situations this is not enough. In these situations it would be nice to be able to use ip-filter (& co) on traffic from the tunnel (and also for traffic going into the tunnel). I was wondering why this is implemented the way it is. Maybe someone on this list could shed a light on this? Rene -- Rene de Vries To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message