From owner-freebsd-stable Tue Nov 26 6: 2:34 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0EF237B404 for ; Tue, 26 Nov 2002 06:02:32 -0800 (PST) Received: from tomts14-srv.bellnexxia.net (tomts14.bellnexxia.net [209.226.175.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3203443EA9 for ; Tue, 26 Nov 2002 06:02:31 -0800 (PST) (envelope-from matt@gsicomp.on.ca) Received: from xena.gsicomp.on.ca ([65.95.176.205]) by tomts14-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20021126140230.MICX18668.tomts14-srv.bellnexxia.net@xena.gsicomp.on.ca>; Tue, 26 Nov 2002 09:02:30 -0500 Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18]) by xena.gsicomp.on.ca (8.11.3/8.11.3) with SMTP id gAQE2QS12275; Tue, 26 Nov 2002 09:02:27 -0500 (EST) (envelope-from matt@gsicomp.on.ca) Message-ID: <00d901c29554$75724610$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "Ari Suutari" , "Eric Masson" Cc: , "David Kelly" , References: <200211142157.57459.dkelly@HiWAAY.net> <200211180854.29349.ari.suutari@syncrontech.com> <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> <200211260837.02019.ari.suutari@syncrontech.com> Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Date: Tue, 26 Nov 2002 09:02:28 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Hi, > > On Monday 25 November 2002 18:46, Eric Masson wrote: > > In my case, the lan joined by the vpn use rfc1918 adresses, and if I > > want the vpn traffic to flow correctly, I must invalidate incoming > > rfc1918 address checking on the external firewall interface. I don't > > think it increases security ;) > > True :-( I used to have network like this but we were able to > obtain a bunch of public ip addresses so I didn't think about > this. My problem with the previous solution was that I wasn't > able to completely filter traffic flowing from ipsec tunnel because > detunneled packets arriving to local node were never passed to ipfw. > > Maybe the solution would be to start using gif devides and ipsec > transport mode, which would make it possible to filter > encrypted and unencrypted packets separately. I haven't tried > this but there seems to be a lot of discussion on it currently. This is what I did over a year ago when setting up FreeBSD gateways to connect 5 retail stores to head office. It proved to be the least-headache, simplest method to comprehend from a firewall rule perspective. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message