From owner-freebsd-mobile Wed Jan 15 22: 8:30 2003 Delivered-To: freebsd-mobile@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50AE037B401; Wed, 15 Jan 2003 22:08:28 -0800 (PST) Received: from mta1.srv.hcvlny.cv.net (mta1.srv.hcvlny.cv.net [167.206.5.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAF8743F5F; Wed, 15 Jan 2003 22:08:27 -0800 (PST) (envelope-from agapon@excite.com) Received: from asv3.srv.hcvlny.cv.net (asv3.srv.hcvlny.cv.net [167.206.5.52]) by mta1.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.05 (built Nov 6 2002)) with ESMTP id <0H8S00HBBMEUNK@mta1.srv.hcvlny.cv.net>; Thu, 16 Jan 2003 01:08:54 -0500 (EST) Received: from edge.foundation.invalid (ool-4355489e.dyn.optonline.net [67.85.72.158]) by asv3.srv.hcvlny.cv.net (8.12.6/8.12.6) with ESMTP id h0G68Ln9014894; Thu, 16 Jan 2003 01:08:22 -0500 (EST) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id h0G68MZY007554; Thu, 16 Jan 2003 01:08:23 -0500 (EST envelope-from agapon@excite.com) Date: Thu, 16 Jan 2003 01:08:19 -0500 (EST) From: Andriy Gapon Subject: Re: Requireing IPsec on wi interface? X-X-Sender: avg@edge.foundation.invalid To: freebsd-mobile@FreeBSD.ORG Cc: freebsd-ipfw@FreeBSD.ORG Message-id: <20030116010203.G7550@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-mobile@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'd rather see this behavior be configured via sysctl than introducing an overhead for all interfaces and messing with ipfw layer2 rules. Sort of surpising that such a big difference in ipsec-ipfw interaction between 4.7-release and stable was made without a wide discussion or at least an announcement. In reply to: Date: Wed, 15 Jan 2003 23:24:52 -0500 From: "Ben Pfountz" To: Subject: Re: Requireing IPsec on wi interface? Message-ID: <002501c2bd17$36ebdd80$6511a8c0@benspiece> Hey list, Just to close out my thread, here is what I found dealing with forcing IPsec on a network interface with FreeBSD 4.7-STABLE or later... IPsec packets can be seperated from clear packets at the layer2 level in the firewall. Once they get up to the higher levels, the esp flag cannot be used to seperate clear from encrypted packets. This is an example of how to block all non-ipsec packets coming in on an interface: allow all esp from any to any in via wi0 layer2 deny all not esp from any to any in via wi0 layer2 allow all from any to any in via wi0 not layer2 You will need IPFW2, so read the IPFW man page on how to build it into your system. Ben -- Andriy Gapon * Broadcast Message from wnpdev21 (pts/tg) Wed Jan 8 09:12:47... replacing the jar - krishna 3931 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-mobile" in the body of the message