Date: Wed, 29 Nov 2000 07:19:25 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Dominick LaTrappe <seraf@2600.COM> Cc: freebsd-security@FreeBSD.ORG Subject: Re: filtering ipsec traffic Message-ID: <200011291519.eATFJSN20826@cwsys.cwsent.com> In-Reply-To: Your message of "Tue, 28 Nov 2000 23:49:09 EST." <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>, Dominick LaTrappe writes: > It seems that, on the way in, ipfilter on FreeBSD gets packets before KAME > does, and on the way out, after. This limits ipfilter to inspecting > traffic from IPsec peers on on layer 3 only. Since I see no > packet-filtering mechanism in KAME itself, this presents a severe > limitation, namely that I must trust my IPsec peers enough for their > traffic to bypass any layer-4 filters. > > Is there some way to give ipfilter two passes, pre-KAME and post-KAME? > The even better fix, I suppose, would be to have 4 ipfilter rulesets > instead of 2 -- pre-KAME in, pre-KAME out, post-KAME in, post-KAME out. > > In the mean time, I'm using tcpwrappers as a last-line-of-defense where I > can, but it's not enough. Looking at the source, I don't see any references to IPFW either, meaning this is not a simple copy-the-code change. One option would be to set up a point-to-point IPSec tunnel between the two gateways, then use an IP tunnel within it. Alternatively you could pipsecd which sets up an IPSec tunnel and defines a tun interface, which can be filtered using IP Filter or IPFW. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011291519.eATFJSN20826>