Date: Fri, 14 Dec 2001 16:41:52 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: Jonathan Chen <jonc@chen.org.nz> Cc: "Oles' Hnatkevych" <gnut@fc.kiev.ua>, freebsd-questions@FreeBSD.ORG Subject: Re: gif and ipfw Message-ID: <Pine.BSF.4.21.0112141604290.75078-100000@cody.jharris.com> In-Reply-To: <20011215105825.B498@grimoire.chen.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 15 Dec 2001, Jonathan Chen wrote: > On Fri, Dec 14, 2001 at 05:10:12PM +0300, Oles' Hnatkevych wrote: > > Hello freebsd-questions, > > > > after serveral hours of digging in the dirt I come to > > conclusion that packets are at first passed through firewall, > > THAN decapsulated by GIF and do not pass firewall again???? > > so how do I setup a firewall rules on gif interface?? ;) > > I can filter outgoing packets, not incoming ones... > > The question has been brought up in -stable before, but no one gave a > good reason why the code doesn't do it. You may want to send-pr the > problem, and see what the maintainers say. IIRC, : packets appear to come in via the outside interface as protocol ipencap. Then get decapsulated, then appear to come in via gif0 for your inside address (of the tunnel). Same happens for packets outbound...except for reverse order. Packets "appear" to leave gif0 for your internal destination, get encapsulated, then leave your oubound interface as protocol ipencap (4). Example: ipfw add 100 allow log ipencap from any to any in via xl0 ipfw add 200 allow log ip from any to any via gif0 So decapsulation appears to happen between rule #100 and #200 above. If you use this ruleset, you should see the following hits in your syslog logfile: FOr inbound packets: rule #100 first, then rule #200 For outbound packets: rule #200 first, then rule #100 Onto your question...You can firewall "via your gif" interface. You can optionally firewall on your "public" (non gif) interface by using protocol ipencap with outside addresses. Nick Rogness <nick@rogness.net> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112141604290.75078-100000>