From owner-freebsd-net@FreeBSD.ORG  Thu Dec  9 16:15:10 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 55A6916A4CE; Thu,  9 Dec 2004 16:15:10 +0000 (GMT)
Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B88B443D39; Thu,  9 Dec 2004 16:15:09 +0000 (GMT)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from transport.cksoft.de (localhost [127.0.0.1])
	by transport.cksoft.de (Postfix) with ESMTP
	id BA41D1FF91D; Thu,  9 Dec 2004 17:15:07 +0100 (CET)
Received: by transport.cksoft.de (Postfix, from userid 66)
	id D063D1FF90C; Thu,  9 Dec 2004 17:15:05 +0100 (CET)
Received: by mail.int.zabbadoz.net (Postfix, from userid 1060)
	id DDADF15767; Thu,  9 Dec 2004 16:10:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.int.zabbadoz.net (Postfix) with ESMTP
	id DAFB815766; Thu,  9 Dec 2004 16:10:24 +0000 (UTC)
Date: Thu, 9 Dec 2004 16:10:24 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net
To: Andre Oppermann <andre@freebsd.org>
In-Reply-To: <41B85729.40F00890@freebsd.org>
Message-ID: <Pine.BSF.4.53.0412091605130.95268@e0-0.zab2.int.zabbadoz.net>
References: <20041129100949.GA19560@bps.jodocus.org>
	<41AAF696.6ED81FBF@freebsd.org><41AB3A74.8C05601D@freebsd.org>
	<41AB65B2.A18534BF@freebsd.org><41B85729.40F00890@freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de
cc: freebsd-net@freebsd.org
Subject: Re: (review request) ipfw and ipsec processing order for
	outgoingpackets
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2004 16:15:10 -0000

On Thu, 9 Dec 2004, Andre Oppermann wrote:

Hi,

> With the changes you can chose whether you want to do firewallig before
> ipsec processing or after but not both.

I am unsure if I get that right but that's what the ipsec flag in
ipfw2 is for and it is heavily used to filter ipsec encrypted traffic
and the same traffic, tagged to come from an ipsec tunnel, afterwards.

If your changes won't handle this you will break too many IPSec GWs I
think.


> The enc(4) pseudo device looks
> interesting but I haven't looked at the code.  Maybe that makes things
> easier.  I'll look into it.

the code is quite simple and helpfull for debugging but not for a lot
more with our current ipsec implementations (at least that had been
the case about a year ago).

-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT