Date: Mon, 20 Jan 2003 22:34:51 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: Mike Durian <durian@boogie.com> Cc: Pekka Nikander <pekka.nikander@nomadiclab.com>, freebsd-net@freebsd.org Subject: Re: Question about IPsec and double ipfilter processing Message-ID: <20030121063451.GB37009@blossom.cjclark.org> In-Reply-To: <200301201731.49942.durian@boogie.com> References: <200301201731.49942.durian@boogie.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 20, 2003 at 05:31:49PM -0700, Mike Durian wrote: > I was looking through the FreeBSD mailing list archives trying to figure > out why ipfilter is filtering on both encapsulated ESP packets and the > decrypted packets (NetBSD says it should only filter on the line packets), > when I saw a relevent posting. It looks like other people are frustrated by > this double processing too. I don't see this. I have one rule on my external interface, block in log quick on de0 all head 2000 ... pass in quick proto esp from any to 12.234.89.252/32 group 2000 That allows in ESP traffic from any host. No other rules are required on this interface for the IPsec tunnel to work. Obviously, I need a rule on the internal interface to let the unecrypted traffic pass this interface. But since all of the interesting filtering of traffic from the outside world happens on the external interface, pass out quick on fxp0 all -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121063451.GB37009>