Date: Wed, 27 Nov 2002 09:00:49 +0200 From: Ari Suutari <ari.suutari@syncrontech.com> To: greg.panula@dolaninformation.com, "Patrick M. Hausen" <hausen@punkt.de> Cc: FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION ANDQUESTIONS Message-ID: <200211270900.50007.ari.suutari@syncrontech.com> In-Reply-To: <3DE374D1.AE5A27A3@dolaninformation.com> References: <200211211504.gALF4Sej086710@hugo10.ka.punkt.de> <3DE374D1.AE5A27A3@dolaninformation.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Tuesday 26 November 2002 15:19, Greg Panula wrote: > > # allow private traffic between location to flow > allow ip from 10... to 192.168... out via int.nic > allow ip from 192.168... to 10... in via int.nic > > Granted the ruleset above assumes you are *not* using gif tunnels, just > ipsec tunnels. The encrypted traffic arrives on the external interface, > is decrypted and passed back to the kernel for routing&filtering. Ipfw > rules for the internal nic then allow or deny the traffic. This does not filter packets that are destined to firewall host itself. For example, if your local network is 192.168.1.x, with firewall int.nic as 192.168.1.1 and you have ipsec policy that connects another network to this network then you are unable to filter traffic to firewall itself ie. the firewall is WIDE OPEN from the other network via the VPN. Ari S. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211270900.50007.ari.suutari>