Date: Fri, 21 Sep 2001 10:26:45 +0200 From: Sameh Ghane <sw@anthologeek.net> To: freebsd-net@freebsd.org Subject: ipfilter and IPSec processing order Message-ID: <20010921102645.D77863@anthologeek.net>
next in thread | raw e-mail | index | archive | help
Hi,
I use an IPSec tunnel (transport mode + gif) between two FreeBSD 4.3-p19
gateways, using ipfilter(v3.4.20 (264)) as packet filter.
With no particular statement about IPSec, I get this message:
Sep 21 10:10:24 fw ipmon[94]: 10:10:23.578447 fxp0 @0:80 b 213.41.X.Y ->
213.41.W.Z PR ipencap len 20 (104) OUT
when I try to make my packets go out.
Fine. I let protocol IP ENCAP (4) go through the firewall.
Then, I get: Sep 21 10:13:40 fw ipmon[94]: 10:13:39.593013 fxp0 @0:90 b
213.41.W.Z -> 213.41.X.Y PR esp len 20 (136) IN
when packets come back to the gateway.
Fine. I let protocol ESP(50) go through the firewall.
I can now ping the both ends of the tunnel. Because I explicitely allowed ICMP
to go through ipf rules. Unfortunately, when I try to telnet the other side of
the tunnel, on HTTP's port, using the private network adresses:
Sep 21 10:15:43 fw ipmon[94]: 10:15:42.698858 fxp0 @0:91 b 192.168.202.17,80 ->
192.168.1.1,1259 PR tcp len 20 44 -AS IN
responses are not allowed to come back.
I even tried to put stateful rules for the private networks:
pass out quick proto tcp from 192.168.0.0/17 to 192.168.128.0/17 keep state
Unsuccessfully.
So I am wondering, why is ipfilter seeing the packet twice: once encapsulated,
once decaspulated ?
I looked at freebsd-net, -security, and ipfilter mailing lists, with no success.
NetBSD states that:
« Since February 2001, on NetBSD-current, ipf(4)/IPsec interaction was
clarified as below:
ipf(4) looks at packets in native wire format only. ipf(4) looks at
packets before IPsec processing on inbound, and after IPsec processing on
outbound. »
Is it done on FreeBSD ? Why can't it be done ( I read threads where people
stated that packet filter and IPSec interaction was an unsolvable problem).
And even if the packet goes twice through the packet filter, why can't I use
stateful rules ? Hum !?
Cheers,
--
Sameh
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921102645.D77863>