From owner-freebsd-net  Mon Jan 20 22:35: 2 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 530E837B401
	for <freebsd-net@freebsd.org>; Mon, 20 Jan 2003 22:35:01 -0800 (PST)
Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 777D743F1E
	for <freebsd-net@freebsd.org>; Mon, 20 Jan 2003 22:35:00 -0800 (PST)
	(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252])
          by sccrmhc03.attbi.com (sccrmhc03) with ESMTP
          id <200301210634590030005dhme>; Tue, 21 Jan 2003 06:34:59 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h0L6Yreq037797;
	Mon, 20 Jan 2003 22:34:57 -0800 (PST)
	(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h0L6YpEW037796;
	Mon, 20 Jan 2003 22:34:51 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Mon, 20 Jan 2003 22:34:51 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Mike Durian <durian@boogie.com>
Cc: Pekka Nikander <pekka.nikander@nomadiclab.com>,
	freebsd-net@freebsd.org
Subject: Re: Question about IPsec and double ipfilter processing
Message-ID: <20030121063451.GB37009@blossom.cjclark.org>
Reply-To: "Crist J. Clark" <cjc@freebsd.org>
References: <200301201731.49942.durian@boogie.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200301201731.49942.durian@boogie.com>
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Mon, Jan 20, 2003 at 05:31:49PM -0700, Mike Durian wrote:
> I was looking through the FreeBSD mailing list archives trying to figure
> out why ipfilter is filtering on both encapsulated ESP packets and the
> decrypted packets (NetBSD says it should only filter on the line packets),
> when I saw a relevent posting.  It looks like other people are frustrated by
> this double processing too.

I don't see this. I have one rule on my external interface,

  block in log quick on de0 all                           head 2000
    ...
    pass  in     quick proto esp from any to 12.234.89.252/32             group 2000

That allows in ESP traffic from any host. No other rules are required
on this interface for the IPsec tunnel to work.

Obviously, I need a rule on the internal interface to let the
unecrypted traffic pass this interface. But since all of the
interesting filtering of traffic from the outside world happens on the
external interface,

  pass out quick on fxp0            all

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message