From owner-freebsd-net Mon Jan 14 5:12:14 2002 Delivered-To: freebsd-net@freebsd.org Received: from r4k.net (r4k.net [194.109.74.241]) by hub.freebsd.org (Postfix) with ESMTP id 2686137B402 for ; Mon, 14 Jan 2002 05:12:08 -0800 (PST) Received: (from alexlh@localhost) by r4k.net (8.11.3/8.11.1) id g0EDD6G12629; Mon, 14 Jan 2002 14:13:06 +0100 (CET) (envelope-from alexlh) Date: Mon, 14 Jan 2002 14:13:05 +0100 From: Alex Le Heux To: Kshitij Gunjikar Cc: freebsd-net@FreeBSD.ORG Subject: Re: Filtering packets received through an ipsec tunnel Message-ID: <20020114131305.GK75815@funk.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I don't think this is quite correct. The fact that I have a tunnel means I have some relation with the other network, and that I do not trust the network(s) between us. It does NOT mean that I trust their security setup and want to receive any packet that they send me. So I would certainly hope that I have the option of filtering. Cheers, Alex Le Heux On Mon, Jan 14, 2002 at 05:32:11PM +0530, Kshitij Gunjikar wrote: > > > Hi Rene, > I'm wondering why do you want to filter Secure traffic? > > The very fact that you have a tunnel to a place means you trust that > network. Hence, why filter? > > What are the complex situations you have in mind? > > Regards > Kshitij > > -----Original Message----- > From: owner-freebsd-net@freebsd.org > [mailto:owner-freebsd-net@freebsd.org]On Behalf Of Rene de Vries > Sent: Sunday, January 13, 2002 10:32 PM > To: net@freebsd.org > Subject: Filtering packets received through an ipsec tunnel > > > Hello, > > > This message was already posted to hackers@freebsd.org, but with > > limited success. I'm hoping that someone on net@freebsd.org can give me > > some more information. > > By experimenting with ipsec and looking at the source of "ip_input.c" a > co-worker and I found the following out. > > When a ipsec tunnel packet is received this (protocol 50/51) packet is > passed through ip-filter (& co). After filtering and when it has been > determent that the current host is the destination (tunnel end-point), > this packet is decrypted/verified. The decrypted packet is then pushed > back into the queue that leads to ip_input(...). So far so good.... > > But once in ip_input(...) the filtering code is skipped and we were > wondering why. > > I know that ipsec has some handles to be able to filter on address, > protocol and/or port. But for more complex situations this is not > enough. In these situations it would be nice to be able to use > ip-filter (& co) on traffic from the tunnel (and also for traffic going > into the tunnel). > > I was wondering why this is implemented the way it is. Maybe someone on > this list could shed a light on this? > > Rene > -- > Rene de Vries > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- "My theory is that the (Internet) industry was started in large part by technologists rather than media people..." - Robin Webster, President, Interactive Advertising Bureau To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message