From owner-freebsd-net@FreeBSD.ORG Fri Dec 10 06:45:56 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74B5516A4CE; Fri, 10 Dec 2004 06:45:56 +0000 (GMT) Received: from poison2.syncrontech.com (adsl-nat.syncrontech.com [213.28.98.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F4B243D1D; Fri, 10 Dec 2004 06:45:54 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])iBA6jk86064974; Fri, 10 Dec 2004 08:45:46 +0200 (EET) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.syncrontech.com [62.71.8.37]) iBA6jep5021601; Fri, 10 Dec 2004 08:45:45 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <08f001c4de83$dfbb1b80$2508473e@sad.syncrontech.com> From: "Ari Suutari" To: "Bjoern A. Zeeb" , "Andre Oppermann" References: <20041129100949.GA19560@bps.jodocus.org><41AAF696.6ED81FBF@freebsd.org><41AB3A74.8C05601D@freebsd.org><41AB65B2.A18534BF@freebsd.org><41B85729.40F00890@freebsd.org> Date: Fri, 10 Dec 2004 08:45:33 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-net@freebsd.org Subject: Re: (review request) ipfw and ipsec processing order foroutgoingpackets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 06:45:56 -0000 Hi, >> With the changes you can chose whether you want to do firewallig before >> ipsec processing or after but not both. > > I am unsure if I get that right but that's what the ipsec flag in > ipfw2 is for and it is heavily used to filter ipsec encrypted traffic > and the same traffic, tagged to come from an ipsec tunnel, afterwards. > > If your changes won't handle this you will break too many IPSec GWs I > think. > At least I do filtering both before and after ipsec. Typical case is that before ipsec I allow only esp from peer's ipsec box, after ipsec I allow some tcp ports if (and only if) the packet has originated from ipsec (I use ipsec flag). So being able to filter traffic both before and after is necessary, it is very well possible right now, if one uses IPSEC_FILTERGIF kernel option and ipfw "ipsec" flag. Please don't break this, it has been broken more or less in various releases (or at least there have been differences how firewalling works with ipsec stuff). However, feel free to fix the remaining problems for *outgoing* traffic. Ari S.