From owner-freebsd-net Tue Jan 21 5:16:46 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D0BA37B401; Tue, 21 Jan 2003 05:16:45 -0800 (PST) Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id E858443F43; Tue, 21 Jan 2003 05:16:44 -0800 (PST) (envelope-from pekka.nikander@nomadiclab.com) Received: from nomadiclab.com (polle.local.nikander.com [192.168.0.193]) by n97.nomadiclab.com (Postfix) with ESMTP id 31D531C; Tue, 21 Jan 2003 15:25:27 +0200 (EET) Message-ID: <3E2D482C.9030700@nomadiclab.com> Date: Tue, 21 Jan 2003 15:16:28 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3b) Gecko/20030117 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Crist J. Clark" Cc: Mike Durian , freebsd-net@freebsd.org Subject: Re: Question about IPsec and double ipfilter processing References: <200301201731.49942.durian@boogie.com> <20030121063451.GB37009@blossom.cjclark.org> In-Reply-To: <20030121063451.GB37009@blossom.cjclark.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Crist, Crist J. Clark wrote: > I don't see this. I have one rule on my external interface, > > block in log quick on de0 all head 2000 > ... > pass in quick proto esp from any to 12.234.89.252/32 group 2000 > > That allows in ESP traffic from any host. No other rules are required > on this interface for the IPsec tunnel to work. > > Obviously, I need a rule on the internal interface to let the > unecrypted traffic pass this interface. But since all of the > interesting filtering of traffic from the outside world happens on the > external interface, > > pass out quick on fxp0 all > I don't quite understand. Firstly, are you saying that you *only* accept IPsec and nothing else from your external interface? That is not the case with Mike or me; at least I need to use my external interface for generic Internet traffic, too, so I can't block all other traffic. Secondly, are you using ipfw2? I thought it was only available in -CURRENT or 5.0, not in 4.7-STABLE? Or am I wrong? --Pekka To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message