Date: Mon, 20 Jan 2003 22:34:51 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: Mike Durian <durian@boogie.com> Cc: Pekka Nikander <pekka.nikander@nomadiclab.com>, freebsd-net@freebsd.org Subject: Re: Question about IPsec and double ipfilter processing Message-ID: <20030121063451.GB37009@blossom.cjclark.org> In-Reply-To: <200301201731.49942.durian@boogie.com> References: <200301201731.49942.durian@boogie.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 20, 2003 at 05:31:49PM -0700, Mike Durian wrote:
> I was looking through the FreeBSD mailing list archives trying to figure
> out why ipfilter is filtering on both encapsulated ESP packets and the
> decrypted packets (NetBSD says it should only filter on the line packets),
> when I saw a relevent posting. It looks like other people are frustrated by
> this double processing too.
I don't see this. I have one rule on my external interface,
block in log quick on de0 all head 2000
...
pass in quick proto esp from any to 12.234.89.252/32 group 2000
That allows in ESP traffic from any host. No other rules are required
on this interface for the IPsec tunnel to work.
Obviously, I need a rule on the internal interface to let the
unecrypted traffic pass this interface. But since all of the
interesting filtering of traffic from the outside world happens on the
external interface,
pass out quick on fxp0 all
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121063451.GB37009>