Date: Fri, 10 Dec 2004 08:45:33 +0200 From: "Ari Suutari" <ari@suutari.iki.fi> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, "Andre Oppermann" <andre@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: (review request) ipfw and ipsec processing order foroutgoingpackets Message-ID: <08f001c4de83$dfbb1b80$2508473e@sad.syncrontech.com> References: <20041129100949.GA19560@bps.jodocus.org><41AAF696.6ED81FBF@freebsd.org><41AB3A74.8C05601D@freebsd.org><41AB65B2.A18534BF@freebsd.org><41B85729.40F00890@freebsd.org> <Pine.BSF.4.53.0412091605130.95268@e0-0.zab2.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
>> With the changes you can chose whether you want to do firewallig before
>> ipsec processing or after but not both.
>
> I am unsure if I get that right but that's what the ipsec flag in
> ipfw2 is for and it is heavily used to filter ipsec encrypted traffic
> and the same traffic, tagged to come from an ipsec tunnel, afterwards.
>
> If your changes won't handle this you will break too many IPSec GWs I
> think.
>
At least I do filtering both before and after ipsec. Typical case
is that before ipsec I allow only esp from peer's ipsec box, after
ipsec I allow some tcp ports if (and only if) the packet has
originated from ipsec (I use ipsec flag).
So being able to filter traffic both before and after is necessary,
it is very well possible right now, if one uses IPSEC_FILTERGIF
kernel option and ipfw "ipsec" flag. Please don't break this, it has
been broken
more or less in various releases (or at least there have been
differences how firewalling works with ipsec stuff).
However, feel free to fix the remaining problems for *outgoing*
traffic.
Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08f001c4de83$dfbb1b80$2508473e>