From owner-freebsd-security  Wed Oct 25  8:32:42 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns.sovintel.ru (ns.sovintel.ru [212.44.130.6])
	by hub.freebsd.org (Postfix) with ESMTP id 9A0DC37B479
	for <freebsd-security@freebsd.org>; Wed, 25 Oct 2000 08:32:39 -0700 (PDT)
Received: from anry (fw-nat.sovintel.net [212.44.130.15])
	by ns.sovintel.ru (8.9.3/8.9.3) with ESMTP id TAA01889
	for <freebsd-security@freebsd.org>; Wed, 25 Oct 2000 19:32:32 +0400 (MSD)
Date: Wed, 25 Oct 2000 19:32:58 +0400 (MSD)
From: Andrey Rouskol <anry@sovintel.ru>
To: freebsd-security@freebsd.org
Subject: ipsec and ipfw
Message-ID: <Pine.BSF.4.21.0010251922330.7779-100000@anry.sovintel.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi !

I've found that in -current outgoing ipsec-packets (esp, ah) pass
without been filtered by ipfw and incoming deencapsulated traffic is not
filtered by ipfw too. So telnet connection over ipsec with statefull
filtering is dropped in 20 seconds (which is dyn_syn_lifetime). All tests
was made in 'transport' mode. Is this normal ?

Regards,
Andrey.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message