Date: Tue, 21 Jan 2003 15:16:28 +0200 From: Pekka Nikander <pekka.nikander@nomadiclab.com> To: "Crist J. Clark" <cjc@freebsd.org> Cc: Mike Durian <durian@boogie.com>, freebsd-net@freebsd.org Subject: Re: Question about IPsec and double ipfilter processing Message-ID: <3E2D482C.9030700@nomadiclab.com> In-Reply-To: <20030121063451.GB37009@blossom.cjclark.org> References: <200301201731.49942.durian@boogie.com> <20030121063451.GB37009@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist, Crist J. Clark wrote: > I don't see this. I have one rule on my external interface, > > block in log quick on de0 all head 2000 > ... > pass in quick proto esp from any to 12.234.89.252/32 group 2000 > > That allows in ESP traffic from any host. No other rules are required > on this interface for the IPsec tunnel to work. > > Obviously, I need a rule on the internal interface to let the > unecrypted traffic pass this interface. But since all of the > interesting filtering of traffic from the outside world happens on the > external interface, > > pass out quick on fxp0 all > I don't quite understand. Firstly, are you saying that you *only* accept IPsec and nothing else from your external interface? That is not the case with Mike or me; at least I need to use my external interface for generic Internet traffic, too, so I can't block all other traffic. Secondly, are you using ipfw2? I thought it was only available in -CURRENT or 5.0, not in 4.7-STABLE? Or am I wrong? --Pekka To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2D482C.9030700>