From owner-freebsd-security  Wed Nov 29  7:21:25 2000
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 8596937B400
	for <freebsd-security@FreeBSD.ORG>; Wed, 29 Nov 2000 07:21:22 -0800 (PST)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA18027;
	Wed, 29 Nov 2000 07:20:26 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda18025; Wed Nov 29 07:20:26 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eATFKKx13553;
	Wed, 29 Nov 2000 07:20:20 -0800 (PST)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdF13543; Wed Nov 29 07:19:28 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.1/8.9.1) id eATFJSN20826;
	Wed, 29 Nov 2000 07:19:28 -0800 (PST)
Message-Id: <200011291519.eATFJSN20826@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdl20822; Wed Nov 29 07:19:25 2000
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.2-RELEASE
X-Sender: cy
To: Dominick LaTrappe <seraf@2600.COM>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: filtering ipsec traffic 
In-reply-to: Your message of "Tue, 28 Nov 2000 23:49:09 EST."
             <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 29 Nov 2000 07:19:25 -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>, 
Dominick
 LaTrappe writes:
> It seems that, on the way in, ipfilter on FreeBSD gets packets before KAME
> does, and on the way out, after.  This limits ipfilter to inspecting
> traffic from IPsec peers on on layer 3 only.  Since I see no
> packet-filtering mechanism in KAME itself, this presents a severe
> limitation, namely that I must trust my IPsec peers enough for their
> traffic to bypass any layer-4 filters.
> 
> Is there some way to give ipfilter two passes, pre-KAME and post-KAME?  
> The even better fix, I suppose, would be to have 4 ipfilter rulesets
> instead of 2 -- pre-KAME in, pre-KAME out, post-KAME in, post-KAME out.
> 
> In the mean time, I'm using tcpwrappers as a last-line-of-defense where I
> can, but it's not enough.

Looking at the source, I don't see any references to IPFW either, 
meaning this is not a simple copy-the-code change.

One option would be to set up a point-to-point IPSec tunnel between the 
two gateways, then use an IP tunnel within it.   Alternatively you 
could pipsecd which sets up an IPSec tunnel and defines a tun 
interface, which can be filtered using IP Filter or IPFW.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message