From owner-freebsd-net@freebsd.org Sat Mar 11 21:23:50 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B82A8D08A2F for ; Sat, 11 Mar 2017 21:23:50 +0000 (UTC) (envelope-from hoomanfazaeli@gmail.com) Received: from mail-wr0-x235.google.com (mail-wr0-x235.google.com [IPv6:2a00:1450:400c:c0c::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 64342F0F for ; Sat, 11 Mar 2017 21:23:50 +0000 (UTC) (envelope-from hoomanfazaeli@gmail.com) Received: by mail-wr0-x235.google.com with SMTP id u108so83111251wrb.3 for ; Sat, 11 Mar 2017 13:23:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=+LC0VXlSfyB7AIS60D6AQ1qGUkFHJbY7W02On6aD+Zg=; b=RCbOdF8Dn1Shj/Awe8K3MnlBOvrtEEeRBAUbnduzTmD3dNM5hfr6XZUI2KJYQy0AZ4 KF35nRGAv3cWduJ/Q7U2wOGiswJ9lmFxJF8GuXaZ9n2CrdJVZPms6nGjF8o5DwPxMl7O wKIxByhbreEwHnnXte2ZGeGtHlqZw/SU0gesas3TgWtWtNIoCFUF4gdlsYaseoGTTlki zwWbJGygqLQ2XpUF5QNUzLKFsToekgM4wmkxJmwDAswVXAY3e6EDVu4Mt1WPVgCSx1Z8 K/VNXT+Mhvi9Gdb4m/qKVTXobTdEs1PwG3zo/GgeKiibey+plBjSAxhcFOEdq38620IN 9SsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=+LC0VXlSfyB7AIS60D6AQ1qGUkFHJbY7W02On6aD+Zg=; b=OyxGPsHi56WWBSlDu+wdS+hryQyRQztlarRjqZZeZv8eECklfKSvPpuWANCSrkj4bk KhJf9+rw3qx65vRA0w8/l7o/+Wf73XnTAXbHY2T9sgOahuJP6olgTdsNOZqNdo1ijHhs /ZBLYx6TlFRL9a6bLBX0S6sNSsSCD+UBJLoqK9l6ltNcegEy3boYqU/yk0h9/oGgR19N XJyK7w0LqAE7yiVQGLmSelICXm1GIv8rZ9wLqu31koGifbVXmtbzt7rjSE/UArlFo8VC dx0zoT1q5Hmf1YmPJ9Z4p7q1bS96+TIxUMAeBg/OD1oovIBVxAbuK3R6ZIh0bad0PmLZ 4Pow== X-Gm-Message-State: AMke39nZ4LT5FJuapr6T0IME7LXpx9rPhhw6rVSKw1heLC2FucMoXbnGdt8nypTPntZkTw== X-Received: by 10.223.171.239 with SMTP id s102mr20770652wrc.23.1489267427654; Sat, 11 Mar 2017 13:23:47 -0800 (PST) Received: from [192.168.2.30] ([89.219.198.145]) by smtp.googlemail.com with ESMTPSA id q4sm18689463wrc.35.2017.03.11.13.23.46 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Mar 2017 13:23:47 -0800 (PST) Message-ID: <58C46AE0.7050408@gmail.com> Date: Sun, 12 Mar 2017 00:53:44 +0330 From: Hooman Fazaeli User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: "freebsd-net@freebsd.org" Subject: ipsec with ipfw Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2017 21:23:50 -0000 Hi, As you know the ipsec/setkey provide limited syntax to define security policies: only a single subnet/host, protocol number and optional port may be used to specify traffic's source and destination. I was thinking about the idea of using ipfw as the packet selector for ipsec, much like it is used with dummeynet. Something like: ipfw add 100 ipsec 2 tcp from to 80,443,110,139 What do you think? Are you interested in such a feature? Is it worth the effort? What are the implementation challenges? -- Best regards Hooman Fazaeli