Date: Fri, 10 Dec 2004 12:05:43 +0100 From: Andre Oppermann <andre@freebsd.org> To: Ari Suutari <ari@suutari.iki.fi> Cc: freebsd-net@freebsd.org Subject: Re: (review request) ipfw and ipsec processing order foroutgoingpackets Message-ID: <41B98307.50D01EDB@freebsd.org> References: <20041129100949.GA19560@bps.jodocus.org><41AAF696.6ED81FBF@freebsd.org><41AB3A74.8C05601D@freebsd.org><41AB65B2.A18534BF@freebsd.org><41B85729.40F00890@freebsd.org> <Pine.BSF.4.53.0412091605130.95268@e0-0.zab2.int.zabbadoz.net> <08f001c4de83$dfbb1b80$2508473e@sad.syncrontech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ari Suutari wrote: > > Hi, > >> With the changes you can chose whether you want to do firewallig before > >> ipsec processing or after but not both. > > > > I am unsure if I get that right but that's what the ipsec flag in > > ipfw2 is for and it is heavily used to filter ipsec encrypted traffic > > and the same traffic, tagged to come from an ipsec tunnel, afterwards. > > > > If your changes won't handle this you will break too many IPSec GWs I > > think. > > > > At least I do filtering both before and after ipsec. Typical case > is that before ipsec I allow only esp from peer's ipsec box, after > ipsec I allow some tcp ports if (and only if) the packet has > originated from ipsec (I use ipsec flag). > > So being able to filter traffic both before and after is necessary, > it is very well possible right now, if one uses IPSEC_FILTERGIF > kernel option and ipfw "ipsec" flag. Please don't break this, it has > been broken > more or less in various releases (or at least there have been > differences how firewalling works with ipsec stuff). > > However, feel free to fix the remaining problems for *outgoing* > traffic. All I intend to provide is a way to specify whether you want IPSEC before or after pfil_hooks. By default it will be as it is today and work exactly the same. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41B98307.50D01EDB>