From owner-freebsd-stable Tue Nov 26 22:55:23 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B763E37B401 for ; Tue, 26 Nov 2002 22:55:21 -0800 (PST) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D12E43E4A for ; Tue, 26 Nov 2002 22:55:20 -0800 (PST) (envelope-from ari.suutari@syncrontech.com) Received: from linux (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.6/8.12.6) with ESMTP id gAR6t765027553; Wed, 27 Nov 2002 08:55:08 +0200 (EET) (envelope-from ari.suutari@syncrontech.com) Content-Type: text/plain; charset="iso-8859-1" From: Ari Suutari Organization: Syncron Tech Oy To: greg.panula@dolaninformation.com, "Patrick M. Hausen" Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION ANDQUESTIONS Date: Wed, 27 Nov 2002 09:00:49 +0200 User-Agent: KMail/1.4.3 Cc: FreeBSD-stable@FreeBSD.ORG References: <200211211504.gALF4Sej086710@hugo10.ka.punkt.de> <3DE374D1.AE5A27A3@dolaninformation.com> In-Reply-To: <3DE374D1.AE5A27A3@dolaninformation.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200211270900.50007.ari.suutari@syncrontech.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, On Tuesday 26 November 2002 15:19, Greg Panula wrote: > > # allow private traffic between location to flow > allow ip from 10... to 192.168... out via int.nic > allow ip from 192.168... to 10... in via int.nic > > Granted the ruleset above assumes you are *not* using gif tunnels, just > ipsec tunnels. The encrypted traffic arrives on the external interface= , > is decrypted and passed back to the kernel for routing&filtering. Ipfw > rules for the internal nic then allow or deny the traffic. =09This does not filter packets that are destined to =09firewall host itself. For example, if your local network =09is 192.168.1.x, with firewall int.nic as 192.168.1.1 =09and you have ipsec policy that connects another =09network to this network then you are unable to filter =09traffic to firewall itself ie. the firewall is WIDE OPEN =09from the other network via the VPN. =09=09Ari S. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message