Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Nov 2000 07:19:25 -0800
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        Dominick LaTrappe <seraf@2600.COM>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: filtering ipsec traffic 
Message-ID:  <200011291519.eATFJSN20826@cwsys.cwsent.com>
In-Reply-To: Your message of "Tue, 28 Nov 2000 23:49:09 EST." <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>, 
Dominick
 LaTrappe writes:
> It seems that, on the way in, ipfilter on FreeBSD gets packets before KAME
> does, and on the way out, after.  This limits ipfilter to inspecting
> traffic from IPsec peers on on layer 3 only.  Since I see no
> packet-filtering mechanism in KAME itself, this presents a severe
> limitation, namely that I must trust my IPsec peers enough for their
> traffic to bypass any layer-4 filters.
> 
> Is there some way to give ipfilter two passes, pre-KAME and post-KAME?  
> The even better fix, I suppose, would be to have 4 ipfilter rulesets
> instead of 2 -- pre-KAME in, pre-KAME out, post-KAME in, post-KAME out.
> 
> In the mean time, I'm using tcpwrappers as a last-line-of-defense where I
> can, but it's not enough.

Looking at the source, I don't see any references to IPFW either, 
meaning this is not a simple copy-the-code change.

One option would be to set up a point-to-point IPSec tunnel between the 
two gateways, then use an IP tunnel within it.   Alternatively you 
could pipsecd which sets up an IPSec tunnel and defines a tun 
interface, which can be filtered using IP Filter or IPFW.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011291519.eATFJSN20826>