Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Nov 2000 18:57:52 +0100
From:      Gerhard Sittig <Gerhard.Sittig@gmx.net>
To:        freebsd-security@freebsd.org
Subject:   Re: filtering ipsec traffic
Message-ID:  <20001129185752.O27042@speedy.gsinet>
In-Reply-To: <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>; from seraf@2600.COM on Tue, Nov 28, 2000 at 11:49:09PM -0500
References:  <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
X
On Tue, Nov 28, 2000 at 23:49 -0500, Dominick LaTrappe wrote:
> 
> It seems that, on the way in, ipfilter on FreeBSD gets packets
> before KAME does, and on the way out, after.  This limits
> ipfilter to inspecting traffic from IPsec peers on on layer 3
> only. [ ... ] Is there some way to give ipfilter two passes,
> pre-KAME and post-KAME?  The even better fix, I suppose, would
> be to have 4 ipfilter rulesets instead of 2 -- pre-KAME in,
> pre-KAME out, post-KAME in, post-KAME out.

Am I wrong thinking that one already has these four hooks
available?  (Sorry, I haven't toyed with IPsec yet.)

AFAIK it's as follows:
- Your IPsec traffics comes in on tun0 or whatever your external
  interface is called
- it then runs through the IPsec code (which you refer to as
  "KAME" in the above, I guess) and turns into "regular" IPv4
  packets
- which leave the machine (or go into localhost applications) via
  the enc0 interface

And the way out is similar with a chain of
  app -> enc0 -> IPsec -> tun0 -> wire


Please tell me if I'm wrong.  I'm looking forward to learning new
things which are helpful for future projects. :)


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001129185752.O27042>