From owner-freebsd-net@FreeBSD.ORG Sat Oct 30 21:42:15 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B868916A4CE for ; Sat, 30 Oct 2004 21:42:15 +0000 (GMT) Received: from bps.jodocus.org (g157016.upc-g.chello.nl [80.57.157.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCB9743D2D for ; Sat, 30 Oct 2004 21:42:14 +0000 (GMT) (envelope-from joost@jodocus.org) Received: from jodocus.org (localhost [127.0.0.1]) by bps.jodocus.org (8.13.1/8.13.1) with ESMTP id i9ULgDuU001958; Sat, 30 Oct 2004 23:42:13 +0200 (CEST) (envelope-from joost@jodocus.org) Received: (from joost@localhost) by jodocus.org (8.13.1/8.13.1/Submit) id i9ULgCum001957; Sat, 30 Oct 2004 23:42:12 +0200 (CEST) (envelope-from joost) Date: Sat, 30 Oct 2004 23:42:12 +0200 From: Joost Bekkers To: Ari Suutari Message-ID: <20041030214212.GA1737@bps.jodocus.org> Mail-Followup-To: Joost Bekkers , Ari Suutari , freebsd-net@freebsd.org References: <200410300927.51286.ari@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200410300927.51286.ari@suutari.iki.fi> User-Agent: Mutt/1.4.2.1i cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Oct 2004 21:42:15 -0000 On Sat, Oct 30, 2004 at 09:27:50AM +0300, Ari Suutari wrote: > Hi, > > I noticed that processing order of ipsec and ipfw (pfil_hook) is not > correct for outgoing packets. Currently, ipsec processing is done first, > which makes packets to go through without firewall inspection. > This might be a security problem for someone, but at least it > breaks stateful rule handling. > > My test setup is (all freebsd 5.3-rc1 machines): > > freebsd laptop <-> ipsec tunnel <->freebsd server > > When server sends packet to laptop, it now goes like this: > > ip_output -> ipsec -> ip_output -> ipfw -> network > > It should go like this: > > ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network > > I think that this could be fixed by just moving pfil_hook > processing in ip_output before ipsec processing. > I've been pondering the same issue and am currently running 5.3-R modified in the way you've described. (diff at http://jodocus.org/ipsec-pfil.diff I'm not an experienced kernel-hacker, so use at own risk) For IPSEC this also means that the resulting ESP and AH packets don't traverse the firewall when leaving the system. (at least if I read the code correctly; not tested) With FAST_IPSEC both the original and the resulting ESP/AH packets traverse the firewall. In my case I also stumbled on a nice FAST_IPSEC feature where the decoded packets seemed to arrive through the corresponding gif* interface. (with tunnel-mode ipsec) -- greetz Joost joost@jodocus.org