Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jan 2003 15:16:28 +0200
From:      Pekka Nikander <pekka.nikander@nomadiclab.com>
To:        "Crist J. Clark" <cjc@freebsd.org>
Cc:        Mike Durian <durian@boogie.com>, freebsd-net@freebsd.org
Subject:   Re: Question about IPsec and double ipfilter processing
Message-ID:  <3E2D482C.9030700@nomadiclab.com>
In-Reply-To: <20030121063451.GB37009@blossom.cjclark.org>
References:  <200301201731.49942.durian@boogie.com> <20030121063451.GB37009@blossom.cjclark.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Crist,

Crist J. Clark wrote:
> I don't see this. I have one rule on my external interface,
> 
>   block in log quick on de0 all                           head 2000
>     ...
>     pass  in     quick proto esp from any to 12.234.89.252/32             group 2000
> 
> That allows in ESP traffic from any host. No other rules are required
> on this interface for the IPsec tunnel to work.
> 
> Obviously, I need a rule on the internal interface to let the
> unecrypted traffic pass this interface. But since all of the
> interesting filtering of traffic from the outside world happens on the
> external interface,
> 
>   pass out quick on fxp0            all
> 

I don't quite understand.  Firstly, are you saying that you
*only* accept IPsec and nothing else from your external
interface?  That is not the case with Mike or me; at least I
need to use my external interface for generic Internet traffic,
too, so I can't block all other traffic.

Secondly, are you using ipfw2?  I thought it was only available
in -CURRENT or 5.0, not in 4.7-STABLE?  Or am I wrong?

--Pekka



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2D482C.9030700>