From owner-freebsd-security Wed Nov 29 12:16:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id DA1C437B401 for ; Wed, 29 Nov 2000 12:16:13 -0800 (PST) Received: (qmail 9487 invoked by uid 0); 29 Nov 2000 20:16:11 -0000 Received: from p3ee21627.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.39) by mail.gmx.net (mail03) with SMTP; 29 Nov 2000 20:16:11 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA32210 for freebsd-security@freebsd.org; Wed, 29 Nov 2000 18:57:52 +0100 Date: Wed, 29 Nov 2000 18:57:52 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: filtering ipsec traffic Message-ID: <20001129185752.O27042@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from seraf@2600.COM on Tue, Nov 28, 2000 at 11:49:09PM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org X On Tue, Nov 28, 2000 at 23:49 -0500, Dominick LaTrappe wrote: > > It seems that, on the way in, ipfilter on FreeBSD gets packets > before KAME does, and on the way out, after. This limits > ipfilter to inspecting traffic from IPsec peers on on layer 3 > only. [ ... ] Is there some way to give ipfilter two passes, > pre-KAME and post-KAME? The even better fix, I suppose, would > be to have 4 ipfilter rulesets instead of 2 -- pre-KAME in, > pre-KAME out, post-KAME in, post-KAME out. Am I wrong thinking that one already has these four hooks available? (Sorry, I haven't toyed with IPsec yet.) AFAIK it's as follows: - Your IPsec traffics comes in on tun0 or whatever your external interface is called - it then runs through the IPsec code (which you refer to as "KAME" in the above, I guess) and turns into "regular" IPv4 packets - which leave the machine (or go into localhost applications) via the enc0 interface And the way out is similar with a chain of app -> enc0 -> IPsec -> tun0 -> wire Please tell me if I'm wrong. I'm looking forward to learning new things which are helpful for future projects. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message