From owner-freebsd-security  Tue Nov 28 20:49:16 2000
Delivered-To: freebsd-security@freebsd.org
Received: from phalse.2600.com (phalse.2600.COM [216.66.24.2])
	by hub.freebsd.org (Postfix) with ESMTP id 6C58C37B401
	for <freebsd-security@freebsd.org>; Tue, 28 Nov 2000 20:49:13 -0800 (PST)
Received: from localhost (localhost [[UNIX: localhost]])
	by phalse.2600.com (8.8.8/8.8.8) with ESMTP id XAA17095
	for <freebsd-security@freebsd.org>; Tue, 28 Nov 2000 23:49:09 -0500 (EST)
Date: Tue, 28 Nov 2000 23:49:09 -0500 (EST)
From: Dominick LaTrappe <seraf@2600.COM>
To: freebsd-security@freebsd.org
Subject: filtering ipsec traffic
Message-ID: <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

It seems that, on the way in, ipfilter on FreeBSD gets packets before KAME
does, and on the way out, after.  This limits ipfilter to inspecting
traffic from IPsec peers on on layer 3 only.  Since I see no
packet-filtering mechanism in KAME itself, this presents a severe
limitation, namely that I must trust my IPsec peers enough for their
traffic to bypass any layer-4 filters.

Is there some way to give ipfilter two passes, pre-KAME and post-KAME?  
The even better fix, I suppose, would be to have 4 ipfilter rulesets
instead of 2 -- pre-KAME in, pre-KAME out, post-KAME in, post-KAME out.

In the mean time, I'm using tcpwrappers as a last-line-of-defense where I
can, but it's not enough.

	||| Dominick



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message