Date: Tue, 26 Nov 2002 09:02:28 -0500 From: "Matthew Emmerton" <matt@gsicomp.on.ca> To: "Ari Suutari" <ari.suutari@syncrontech.com>, "Eric Masson" <e-masson@kisoft-services.com> Cc: <greg.panula@dolaninformation.com>, "David Kelly" <dkelly@HiWAAY.net>, <FreeBSD-stable@FreeBSD.ORG> Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <00d901c29554$75724610$1200a8c0@gsicomp.on.ca> References: <200211142157.57459.dkelly@HiWAAY.net> <200211180854.29349.ari.suutari@syncrontech.com> <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> <200211260837.02019.ari.suutari@syncrontech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi, > > On Monday 25 November 2002 18:46, Eric Masson wrote: > > In my case, the lan joined by the vpn use rfc1918 adresses, and if I > > want the vpn traffic to flow correctly, I must invalidate incoming > > rfc1918 address checking on the external firewall interface. I don't > > think it increases security ;) > > True :-( I used to have network like this but we were able to > obtain a bunch of public ip addresses so I didn't think about > this. My problem with the previous solution was that I wasn't > able to completely filter traffic flowing from ipsec tunnel because > detunneled packets arriving to local node were never passed to ipfw. > > Maybe the solution would be to start using gif devides and ipsec > transport mode, which would make it possible to filter > encrypted and unencrypted packets separately. I haven't tried > this but there seems to be a lot of discussion on it currently. This is what I did over a year ago when setting up FreeBSD gateways to connect 5 retail stores to head office. It proved to be the least-headache, simplest method to comprehend from a firewall rule perspective. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00d901c29554$75724610$1200a8c0>