Date: Tue, 7 Dec 2004 10:43:00 +0200 From: "Ari Suutari" <ari@suutari.iki.fi> To: "Jeremie Le Hen" <jeremie@le-hen.org> Cc: freebsd-net@freebsd.org Subject: Re: (review request) ipfw and ipsec processing order foroutgoingpackets Message-ID: <01a801c4dc38$c59b8700$2508473e@sad.syncrontech.com> References: <20041129100949.GA19560@bps.jodocus.org><41AAF696.6ED81FBF@freebsd.org> <20041129103031.GA19828@bps.jodocus.org><41AB3A74.8C05601D@freebsd.org> <20041129174954.GA26532@bps.jodocus.org><41AB65B2.A18534BF@freebsd.org> <20041206134315.GF79919@obiwan.tataz.chchile.org>
index | next in thread | previous in thread | raw e-mail
Hi,
> But I may be
> missing something because I can see no way in firewall rules to
> distinguish between the before IPSec processing hook and the after IPSec
> processing one. Could you clarify this for me please ?
There is a keyword "ipsec" in ipfw2, which matches if packet has emerged
from ipsec tunnel. To match packet before ipsec stack, use protocol
esp/ah
in ipfw rule. To match packet after ipsec stack, use tcp/udp/ip as
protocol
and "ipsec" keyword.
The problem is that this doesn't work for outgoing packets, which breaks
at least statefull rules.
Ari S.
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01a801c4dc38$c59b8700$2508473e>