From owner-freebsd-current@FreeBSD.ORG Sat Oct 30 06:28:00 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D626E16A4CE; Sat, 30 Oct 2004 06:28:00 +0000 (GMT) Received: from fep18.inet.fi (fep18.inet.fi [194.251.242.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 959A743D1D; Sat, 30 Oct 2004 06:27:56 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.dyndns.suutari.iki.fi ([80.222.160.96]) by fep18.inet.fi with ESMTP <20041030062754.CNVC16862.fep18.inet.fi@mato.dyndns.suutari.iki.fi>; Sat, 30 Oct 2004 09:27:54 +0300 Received: from instant.lemi.suutari.iki.fi (instant.lemi.suutari.iki.fi [192.168.53.130])i9U6RrhI004722; Sat, 30 Oct 2004 09:27:54 +0300 (EEST) (envelope-from ari@suutari.iki.fi) From: Ari Suutari To: freebsd-net@freebsd.org Date: Sat, 30 Oct 2004 09:27:50 +0300 User-Agent: KMail/1.7 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200410300927.51286.ari@suutari.iki.fi> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (mato.dyndns.suutari.iki.fi [80.222.160.96]); Sat, 30 Oct 2004 09:27:54 +0300 (EEST) cc: freebsd-current@freebsd.org Subject: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Oct 2004 06:28:01 -0000 Hi, I noticed that processing order of ipsec and ipfw (pfil_hook) is not correct for outgoing packets. Currently, ipsec processing is done first, which makes packets to go through without firewall inspection. This might be a security problem for someone, but at least it breaks stateful rule handling. My test setup is (all freebsd 5.3-rc1 machines): freebsd laptop <-> ipsec tunnel <->freebsd server When server sends packet to laptop, it now goes like this: ip_output -> ipsec -> ip_output -> ipfw -> network It should go like this: ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network I think that this could be fixed by just moving pfil_hook processing in ip_output before ipsec processing. Ari S.