Date: Tue, 11 Feb 2003 06:39:00 -0600 From: Greg Panula <greg.panula@dolaninformation.com> To: freebsd-security@freebsd.org Cc: Andriy Gapon <agapon@cv-nj.com>, freebsd-ipfw@freebsd.org Subject: Re: ipsec & ipfw: 4.7-release vs -stable Message-ID: <3E48EEE4.AEFC0B4C@dolaninformation.com> References: <20030210114213.P53494@edge.foundation.invalid>
next in thread | previous in thread | raw e-mail | index | archive | help
Andriy Gapon wrote: > > Is there any remedy expected before 4.8 release for the situation with > ipsec & ipfw interaction that was created after 'ip_input.c 1.130.2.40, > MFC: 1.214' ? > > The reason I am asking this question with such a big crosspost is that it > seems that all previous discussions on this topic resulted in nothing. And > this change definetely breaks things for those who use ipsec without extra > stuff like gif tunnels. It definetely doesn't look like a kind of change > welcomed in -stable branch, not mentioning a potential security > vulnaribity for those who can not use gif. > > I apologize in the case I have missed any latest developments in this > area. > > -- Would it be possible to extend the sysctl variable 'net.inet.ip.fw.one_pass' to include ipsec(esp) traffic? Or maybe create a new similar sysctl variable, e.g. net.inet.ip.fw.ipsec.one_pass? When enabled it would allow ipsec gateways to filter decrypted rfc1918 network traffic on their internal interface(s) and have the all encompassing block rfc1918 traffic on their external interface(s). In the case of non-gateway/single interface boxes using ipsec, the multiple passes thru ipfw behavior could still be used to filter decrypted traffic. Not sure how do-able this is, but it avoids the hassle gif/ipip tunnels(thus keeping interoperability with other non-bsd/linux devices) and also avoids the possible quagmire of a "dedicated" ipsec/esp interface. Just my two bits, greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E48EEE4.AEFC0B4C>