Date: Tue, 7 Dec 2004 10:43:00 +0200 From: "Ari Suutari" <ari@suutari.iki.fi> To: "Jeremie Le Hen" <jeremie@le-hen.org> Cc: freebsd-net@freebsd.org Subject: Re: (review request) ipfw and ipsec processing order foroutgoingpackets Message-ID: <01a801c4dc38$c59b8700$2508473e@sad.syncrontech.com> References: <20041129100949.GA19560@bps.jodocus.org><41AAF696.6ED81FBF@freebsd.org> <20041129103031.GA19828@bps.jodocus.org><41AB3A74.8C05601D@freebsd.org> <20041129174954.GA26532@bps.jodocus.org><41AB65B2.A18534BF@freebsd.org> <20041206134315.GF79919@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
> But I may be
> missing something because I can see no way in firewall rules to
> distinguish between the before IPSec processing hook and the after IPSec
> processing one. Could you clarify this for me please ?
There is a keyword "ipsec" in ipfw2, which matches if packet has emerged
from ipsec tunnel. To match packet before ipsec stack, use protocol
esp/ah
in ipfw rule. To match packet after ipsec stack, use tcp/udp/ip as
protocol
and "ipsec" keyword.
The problem is that this doesn't work for outgoing packets, which breaks
at least statefull rules.
Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01a801c4dc38$c59b8700$2508473e>