From owner-freebsd-mobile Wed Jan 15 20:24:31 2003 Delivered-To: freebsd-mobile@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B8D837B401 for ; Wed, 15 Jan 2003 20:24:30 -0800 (PST) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 520F543EB2 for ; Wed, 15 Jan 2003 20:24:29 -0800 (PST) (envelope-from netprince@vt.edu) Received: from vivi.cc.vt.edu (IDENT:mirapoint@vivi-lb.cc.vt.edu [10.1.1.12]) by lennier.cc.vt.edu (8.11.4/8.11.4) with ESMTP id h0G4OSL100368 for ; Wed, 15 Jan 2003 23:24:28 -0500 (EST) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by vivi.cc.vt.edu (Mirapoint Messaging Server MOS 3.2.2-GA) with ESMTP id ASE76650; Wed, 15 Jan 2003 23:24:28 -0500 (EST) Received: (qmail 5400 invoked from network); 16 Jan 2003 04:26:33 -0000 Received: from bpfountz.princenet (HELO benspiece) (192.168.17.101) by digitalpimp.princenet with SMTP; 16 Jan 2003 04:26:33 -0000 Message-ID: <002501c2bd17$36ebdd80$6511a8c0@benspiece> From: "Ben Pfountz" To: Subject: Re: Requireing IPsec on wi interface? Date: Wed, 15 Jan 2003 23:24:52 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-mobile@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey list, Just to close out my thread, here is what I found dealing with forcing IPsec on a network interface with FreeBSD 4.7-STABLE or later... IPsec packets can be seperated from clear packets at the layer2 level in the firewall. Once they get up to the higher levels, the esp flag cannot be used to seperate clear from encrypted packets. This is an example of how to block all non-ipsec packets coming in on an interface: allow all esp from any to any in via wi0 layer2 deny all not esp from any to any in via wi0 layer2 allow all from any to any in via wi0 not layer2 You will need IPFW2, so read the IPFW man page on how to build it into your system. Ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-mobile" in the body of the message