From owner-freebsd-security Thu Nov 30 12:16:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 9EEAC37B404 for ; Thu, 30 Nov 2000 12:16:26 -0800 (PST) Received: (qmail 16495 invoked by uid 0); 30 Nov 2000 20:16:25 -0000 Received: from p3ee21627.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.39) by mail.gmx.net (mail04) with SMTP; 30 Nov 2000 20:16:25 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA01803 for freebsd-security@freebsd.org; Thu, 30 Nov 2000 18:26:28 +0100 Date: Thu, 30 Nov 2000 18:26:28 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: filtering ipsec traffic Message-ID: <20001130182628.P27042@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <20001129185752.O27042@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001129185752.O27042@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Wed, Nov 29, 2000 at 06:57:52PM +0100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 29, 2000 at 18:57 +0100, Gerhard Sittig wrote: > > Am I wrong thinking that one already has these four hooks > available? (Sorry, I haven't toyed with IPsec yet.) > > [ ... ] > > And the way out is similar with a chain of > app -> enc0 -> IPsec -> tun0 -> wire Woops, forget the above, please! :) I must have been asleep and was confusing this with OpenBSD. Let me cite from their manpages (sorry, don't have a running system around here so I will UTSL :) -- feel free to read the online manpages at www.CC.freebsd.org in your preferred output format). ----- ipsec(4) -------------------------------------------------- ... For example: .Bd -literal -offset indent Net A <----> Firewall 1 <--- Internet ---> Firewall 2 <----> Net B .Ed .Pp Firewall 1 and Firewall 2 can protect all communications between Net A and Net B by using .Tn IPsec in tunnel mode, as illustrated above. .Pp This implementation makes use of a virtual interface .Nm enc0 , which can be used in packet filters to specify those packets that have been or will be processed by .Tn IPsec. ... ----------------------------------------------------------------- ----- enc(4) ---------------------------------------------------- ... .Sh SYNOPSIS .Cd "pseudo-device enc 4" .Sh DESCRIPTION The .Nm interface is a software loopback mechanism that allows hosts or firewalls to filter .Xr ipsec 4 traffic using .Xr ipf 5 . The .Xr vpn 8 manpage shows an example of such a setup. ... ----------------------------------------------------------------- Maybe that's something FreeBSD wants to have, too? I don't see a difference in which filter gets the packet once is enters / leaves the IPsec functionality block and feel the mention of ipf(5) -- why 5, not 8 or 4? -- to come from the fact that it's OpenBSD's native filter. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message