Date: Sat, 30 Oct 2004 09:27:50 +0300 From: Ari Suutari <ari@suutari.iki.fi> To: freebsd-net@freebsd.org Cc: freebsd-current@freebsd.org Subject: ipfw and ipsec processing order for outgoing packets wrong Message-ID: <200410300927.51286.ari@suutari.iki.fi>
next in thread | raw e-mail | index | archive | help
Hi,
I noticed that processing order of ipsec and ipfw (pfil_hook) is not
correct for outgoing packets. Currently, ipsec processing is done first,
which makes packets to go through without firewall inspection.
This might be a security problem for someone, but at least it
breaks stateful rule handling.
My test setup is (all freebsd 5.3-rc1 machines):
freebsd laptop <-> ipsec tunnel <->freebsd server
When server sends packet to laptop, it now goes like this:
ip_output -> ipsec -> ip_output -> ipfw -> network
It should go like this:
ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network
I think that this could be fixed by just moving pfil_hook
processing in ip_output before ipsec processing.
Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410300927.51286.ari>