From owner-freebsd-net Fri Sep 21 1:27:25 2001 Delivered-To: freebsd-net@freebsd.org Received: from day.anthologeek.net (day.anthologeek.net [212.43.217.20]) by hub.freebsd.org (Postfix) with ESMTP id E0FEC37B403 for ; Fri, 21 Sep 2001 01:27:18 -0700 (PDT) Received: by day.anthologeek.net (Postfix, from userid 1000) id 8BC2817126; Fri, 21 Sep 2001 10:26:45 +0200 (CEST) Date: Fri, 21 Sep 2001 10:26:45 +0200 From: Sameh Ghane To: freebsd-net@freebsd.org Subject: ipfilter and IPSec processing order Message-ID: <20010921102645.D77863@anthologeek.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i X-PGP-Keys: 0x1289F00D: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I use an IPSec tunnel (transport mode + gif) between two FreeBSD 4.3-p19 gateways, using ipfilter(v3.4.20 (264)) as packet filter. With no particular statement about IPSec, I get this message: Sep 21 10:10:24 fw ipmon[94]: 10:10:23.578447 fxp0 @0:80 b 213.41.X.Y -> 213.41.W.Z PR ipencap len 20 (104) OUT when I try to make my packets go out. Fine. I let protocol IP ENCAP (4) go through the firewall. Then, I get: Sep 21 10:13:40 fw ipmon[94]: 10:13:39.593013 fxp0 @0:90 b 213.41.W.Z -> 213.41.X.Y PR esp len 20 (136) IN when packets come back to the gateway. Fine. I let protocol ESP(50) go through the firewall. I can now ping the both ends of the tunnel. Because I explicitely allowed ICMP to go through ipf rules. Unfortunately, when I try to telnet the other side of the tunnel, on HTTP's port, using the private network adresses: Sep 21 10:15:43 fw ipmon[94]: 10:15:42.698858 fxp0 @0:91 b 192.168.202.17,80 -> 192.168.1.1,1259 PR tcp len 20 44 -AS IN responses are not allowed to come back. I even tried to put stateful rules for the private networks: pass out quick proto tcp from 192.168.0.0/17 to 192.168.128.0/17 keep state Unsuccessfully. So I am wondering, why is ipfilter seeing the packet twice: once encapsulated, once decaspulated ? I looked at freebsd-net, -security, and ipfilter mailing lists, with no success. NetBSD states that: « Since February 2001, on NetBSD-current, ipf(4)/IPsec interaction was clarified as below: ipf(4) looks at packets in native wire format only. ipf(4) looks at packets before IPsec processing on inbound, and after IPsec processing on outbound. » Is it done on FreeBSD ? Why can't it be done ( I read threads where people stated that packet filter and IPSec interaction was an unsolvable problem). And even if the packet goes twice through the packet filter, why can't I use stateful rules ? Hum !? Cheers, -- Sameh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message