Date: Thu, 16 Jan 2003 01:08:19 -0500 (EST) From: Andriy Gapon <agapon@excite.com> To: freebsd-mobile@FreeBSD.ORG Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Requireing IPsec on wi interface? Message-ID: <20030116010203.G7550@edge.foundation.invalid>
next in thread | raw e-mail | index | archive | help
I'd rather see this behavior be configured via sysctl than introducing an overhead for all interfaces and messing with ipfw layer2 rules. Sort of surpising that such a big difference in ipsec-ipfw interaction between 4.7-release and stable was made without a wide discussion or at least an announcement. In reply to: Date: Wed, 15 Jan 2003 23:24:52 -0500 From: "Ben Pfountz" <netprince@vt.edu> To: <freebsd-mobile@FreeBSD.ORG> Subject: Re: Requireing IPsec on wi interface? Message-ID: <002501c2bd17$36ebdd80$6511a8c0@benspiece> Hey list, Just to close out my thread, here is what I found dealing with forcing IPsec on a network interface with FreeBSD 4.7-STABLE or later... IPsec packets can be seperated from clear packets at the layer2 level in the firewall. Once they get up to the higher levels, the esp flag cannot be used to seperate clear from encrypted packets. This is an example of how to block all non-ipsec packets coming in on an interface: allow all esp from any to any in via wi0 layer2 deny all not esp from any to any in via wi0 layer2 allow all from any to any in via wi0 not layer2 You will need IPFW2, so read the IPFW man page on how to build it into your system. Ben -- Andriy Gapon * Broadcast Message from wnpdev21 (pts/tg) Wed Jan 8 09:12:47... replacing the jar - krishna 3931 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-mobile" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030116010203.G7550>