From owner-freebsd-questions  Thu Apr 18 11:52:41 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from gatekeeper.orem.verio.net (gatekeeper.orem.verio.net [192.41.0.8])
	by hub.freebsd.org (Postfix) with ESMTP id 5CBCC37BBDA
	for <freebsd-questions@freebsd.org>; Thu, 18 Apr 2002 11:48:32 -0700 (PDT)
Received: from mx.dmz.orem.verio.net (mx.dmz.orem.verio.net [10.1.1.10])
	by gatekeeper.orem.verio.net (Postfix) with ESMTP id 26D313BF1D3
	for <freebsd-questions@freebsd.org>; Thu, 18 Apr 2002 12:47:57 -0600 (MDT)
Received: from vespa.dmz.orem.verio.net (vespa.dmz.orem.verio.net [10.1.1.59])
	by mx.dmz.orem.verio.net (8.11.6/8.11.6) with ESMTP id g3IIlud49517
	for <freebsd-questions@freebsd.org>; Thu, 18 Apr 2002 12:47:56 -0600 (MDT)
Date: Thu, 18 Apr 2002 13:03:17 -0600 (MDT)
From: Fred Clift <fclift@verio.net>
X-X-Sender:  <fred@vespa.dmz.orem.verio.net>
To: <freebsd-questions@freebsd.org>
Subject: IPSec + IPF
Message-ID: <20020418123358.O727-100000@vespa.dmz.orem.verio.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi

Are there any wierd interactions between IPF and IPSec?  I'd like to have
a nat/firewall that on the less-secure interface also requires
ESP/Transport processing for incomming packets.  At risk of encouraging
wardrivers in my neighborhood, I'll explain a bit more about what I'm
doing.

I'm setting up a freebsd router with a wireless card and I'd like to drop
all traffic comming in the wireless interface that is comming from anthing
that doesn't have the same enctyption keys...  I guess I'd be happy to
start out using manual key setting via setkey and worry about IKE later.
For packets with the right encryption key, I would then send them through
IPF to be further firewall/nat'ed before being passed into my internal
network.

I have the system set up without IPSec now, relying on WEP (yeah right)
and ssh-tunnels that I make on the fly to do anything I am more concerned
about.  I have the routing and NAT (and wep) set up and working now and
I've just started reading the IPSec stuff and have kernel's rebuilding
etc.

Will ipf and ipsec interoperate properly?  do I have to load them in the
right order?  How do I tell one to pass packets to the other?

Thanks for any help :)

Fred

--
Fred Clift - fclift@verio.net -- Remember: If brute
force doesn't work, you're just not using enough.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message