From owner-freebsd-net Mon Jan 20 22:35: 2 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 530E837B401 for ; Mon, 20 Jan 2003 22:35:01 -0800 (PST) Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 777D743F1E for ; Mon, 20 Jan 2003 22:35:00 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by sccrmhc03.attbi.com (sccrmhc03) with ESMTP id <200301210634590030005dhme>; Tue, 21 Jan 2003 06:34:59 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h0L6Yreq037797; Mon, 20 Jan 2003 22:34:57 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h0L6YpEW037796; Mon, 20 Jan 2003 22:34:51 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 20 Jan 2003 22:34:51 -0800 From: "Crist J. Clark" To: Mike Durian Cc: Pekka Nikander , freebsd-net@freebsd.org Subject: Re: Question about IPsec and double ipfilter processing Message-ID: <20030121063451.GB37009@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <200301201731.49942.durian@boogie.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200301201731.49942.durian@boogie.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 20, 2003 at 05:31:49PM -0700, Mike Durian wrote: > I was looking through the FreeBSD mailing list archives trying to figure > out why ipfilter is filtering on both encapsulated ESP packets and the > decrypted packets (NetBSD says it should only filter on the line packets), > when I saw a relevent posting. It looks like other people are frustrated by > this double processing too. I don't see this. I have one rule on my external interface, block in log quick on de0 all head 2000 ... pass in quick proto esp from any to 12.234.89.252/32 group 2000 That allows in ESP traffic from any host. No other rules are required on this interface for the IPsec tunnel to work. Obviously, I need a rule on the internal interface to let the unecrypted traffic pass this interface. But since all of the interesting filtering of traffic from the outside world happens on the external interface, pass out quick on fxp0 all -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message