Date: Wed, 27 Nov 2002 09:00:49 +0200 From: Ari Suutari <ari.suutari@syncrontech.com> To: greg.panula@dolaninformation.com, "Patrick M. Hausen" <hausen@punkt.de> Cc: FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION ANDQUESTIONS Message-ID: <200211270900.50007.ari.suutari@syncrontech.com> In-Reply-To: <3DE374D1.AE5A27A3@dolaninformation.com> References: <200211211504.gALF4Sej086710@hugo10.ka.punkt.de> <3DE374D1.AE5A27A3@dolaninformation.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Tuesday 26 November 2002 15:19, Greg Panula wrote: > > # allow private traffic between location to flow > allow ip from 10... to 192.168... out via int.nic > allow ip from 192.168... to 10... in via int.nic > > Granted the ruleset above assumes you are *not* using gif tunnels, just > ipsec tunnels. The encrypted traffic arrives on the external interface= , > is decrypted and passed back to the kernel for routing&filtering. Ipfw > rules for the internal nic then allow or deny the traffic. =09This does not filter packets that are destined to =09firewall host itself. For example, if your local network =09is 192.168.1.x, with firewall int.nic as 192.168.1.1 =09and you have ipsec policy that connects another =09network to this network then you are unable to filter =09traffic to firewall itself ie. the firewall is WIDE OPEN =09from the other network via the VPN. =09=09Ari S. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211270900.50007.ari.suutari>