From owner-freebsd-net@FreeBSD.ORG Tue Dec 7 08:43:21 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FCA216A4CE for ; Tue, 7 Dec 2004 08:43:21 +0000 (GMT) Received: from poison2.syncrontech.com (adsl-nat.syncrontech.com [213.28.98.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id A665643D55 for ; Tue, 7 Dec 2004 08:43:19 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])iB78hDOe054231; Tue, 7 Dec 2004 10:43:13 +0200 (EET) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.syncrontech.com [62.71.8.37]) iB78hFwk011627; Tue, 7 Dec 2004 10:43:16 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <01a801c4dc38$c59b8700$2508473e@sad.syncrontech.com> From: "Ari Suutari" To: "Jeremie Le Hen" References: <20041129100949.GA19560@bps.jodocus.org><41AAF696.6ED81FBF@freebsd.org> <20041129103031.GA19828@bps.jodocus.org><41AB3A74.8C05601D@freebsd.org> <20041129174954.GA26532@bps.jodocus.org><41AB65B2.A18534BF@freebsd.org> <20041206134315.GF79919@obiwan.tataz.chchile.org> Date: Tue, 7 Dec 2004 10:43:00 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-net@freebsd.org Subject: Re: (review request) ipfw and ipsec processing order foroutgoingpackets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Dec 2004 08:43:21 -0000 Hi, > But I may be > missing something because I can see no way in firewall rules to > distinguish between the before IPSec processing hook and the after IPSec > processing one. Could you clarify this for me please ? There is a keyword "ipsec" in ipfw2, which matches if packet has emerged from ipsec tunnel. To match packet before ipsec stack, use protocol esp/ah in ipfw rule. To match packet after ipsec stack, use tcp/udp/ip as protocol and "ipsec" keyword. The problem is that this doesn't work for outgoing packets, which breaks at least statefull rules. Ari S.