From owner-freebsd-ipfw Tue Feb 11 4:39: 6 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2861A37B405 for ; Tue, 11 Feb 2003 04:39:05 -0800 (PST) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 9EF7143FAF for ; Tue, 11 Feb 2003 04:39:03 -0800 (PST) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 68702 invoked by uid 0); 11 Feb 2003 12:39:02 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 1.128995 secs); 11 Feb 2003 12:39:02 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: freebsd-security@freebsd.org,agapon@cv-nj.com,freebsd-ipfw@freebsd.org X-Qmail-Scanner: 1.15 (Clear:. Processed in 1.128995 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 11 Feb 2003 12:39:01 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 11 Feb 2003 06:39:01 -0600 Message-ID: <3E48EEE4.AEFC0B4C@dolaninformation.com> Date: Tue, 11 Feb 2003 06:39:00 -0600 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Cc: Andriy Gapon , freebsd-ipfw@freebsd.org Subject: Re: ipsec & ipfw: 4.7-release vs -stable References: <20030210114213.P53494@edge.foundation.invalid> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Andriy Gapon wrote: > > Is there any remedy expected before 4.8 release for the situation with > ipsec & ipfw interaction that was created after 'ip_input.c 1.130.2.40, > MFC: 1.214' ? > > The reason I am asking this question with such a big crosspost is that it > seems that all previous discussions on this topic resulted in nothing. And > this change definetely breaks things for those who use ipsec without extra > stuff like gif tunnels. It definetely doesn't look like a kind of change > welcomed in -stable branch, not mentioning a potential security > vulnaribity for those who can not use gif. > > I apologize in the case I have missed any latest developments in this > area. > > -- Would it be possible to extend the sysctl variable 'net.inet.ip.fw.one_pass' to include ipsec(esp) traffic? Or maybe create a new similar sysctl variable, e.g. net.inet.ip.fw.ipsec.one_pass? When enabled it would allow ipsec gateways to filter decrypted rfc1918 network traffic on their internal interface(s) and have the all encompassing block rfc1918 traffic on their external interface(s). In the case of non-gateway/single interface boxes using ipsec, the multiple passes thru ipfw behavior could still be used to filter decrypted traffic. Not sure how do-able this is, but it avoids the hassle gif/ipip tunnels(thus keeping interoperability with other non-bsd/linux devices) and also avoids the possible quagmire of a "dedicated" ipsec/esp interface. Just my two bits, greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message