From owner-freebsd-net@FreeBSD.ORG  Fri Dec 10 11:05:40 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BF63F16A4CE
	for <freebsd-net@freebsd.org>; Fri, 10 Dec 2004 11:05:40 +0000 (GMT)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EFD8343D1D
	for <freebsd-net@freebsd.org>; Fri, 10 Dec 2004 11:05:39 +0000 (GMT)
	(envelope-from andre@freebsd.org)
Received: (qmail 93764 invoked from network); 10 Dec 2004 10:55:16 -0000
Received: from unknown (HELO freebsd.org) ([62.48.0.53])
          (envelope-sender <andre@freebsd.org>)
          by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
          for <ari@suutari.iki.fi>; 10 Dec 2004 10:55:16 -0000
Message-ID: <41B98307.50D01EDB@freebsd.org>
Date: Fri, 10 Dec 2004 12:05:43 +0100
From: Andre Oppermann <andre@freebsd.org>
X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Ari Suutari <ari@suutari.iki.fi>
References:
	<20041129100949.GA19560@bps.jodocus.org><41AAF696.6ED81FBF@freebsd.org><41AB3A74.8C05601D@freebsd.org><41AB65B2.A18534BF@freebsd.org><41B85729.40F00890@freebsd.org>
	<Pine.BSF.4.53.0412091605130.95268@e0-0.zab2.int.zabbadoz.net>
	<08f001c4de83$dfbb1b80$2508473e@sad.syncrontech.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
cc: freebsd-net@freebsd.org
Subject: Re: (review request) ipfw and ipsec processing order
	foroutgoingpackets
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2004 11:05:40 -0000

Ari Suutari wrote:
> 
> Hi,
> >> With the changes you can chose whether you want to do firewallig before
> >> ipsec processing or after but not both.
> >
> > I am unsure if I get that right but that's what the ipsec flag in
> > ipfw2 is for and it is heavily used to filter ipsec encrypted traffic
> > and the same traffic, tagged to come from an ipsec tunnel, afterwards.
> >
> > If your changes won't handle this you will break too many IPSec GWs I
> > think.
> >
> 
>     At least I do filtering both before and after ipsec. Typical case
>     is that before ipsec I allow only esp from peer's ipsec box, after
>     ipsec I allow some tcp ports if (and only if) the packet has
>     originated from ipsec (I use ipsec flag).
> 
>     So being able to filter traffic both before and after is necessary,
>     it is very well possible right now, if one uses IPSEC_FILTERGIF
>     kernel option and ipfw "ipsec" flag. Please don't break this, it has
> been broken
>     more or less in various releases (or at least there have been
>     differences how firewalling works with ipsec stuff).
> 
>     However, feel free to fix the remaining problems for *outgoing*
>     traffic.

All I intend to provide is a way to specify whether you want IPSEC before
or after pfil_hooks.  By default it will be as it is today and work exactly
the same.

-- 
Andre