From owner-freebsd-security Tue Apr 16 1: 5: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.tb.by (ns.tb.by [212.98.163.84]) by hub.freebsd.org (Postfix) with ESMTP id 16E1137B400 for ; Tue, 16 Apr 2002 01:04:59 -0700 (PDT) Received: from franc ([10.20.1.109]) by ns.tb.by (8.11.3/8.11.3) with ESMTP id g3G8M8r75988; Tue, 16 Apr 2002 11:22:10 +0300 (EEST) Date: Tue, 16 Apr 2002 10:58:53 +0300 From: Dmitry Shupilov X-Mailer: The Bat! (v1.47 Halloween Edition) Personal Reply-To: Dmitry Shupilov X-Priority: 3 (Normal) Message-ID: <192415279580.20020416105853@ns.tb.by> To: Charles Henrich Cc: freebsd-security@freebsd.org Subject: Re: IPFW/IPsec In-reply-To: <20020415231146.A21593@sigbus.com> References: <20020415231146.A21593@sigbus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Charles, CH> Im trying to do something trivial here, but I just cant seem to figure out CH> whats going on. Im trying to build a gateway that only accepts ESP tunnel CH> packets. When I enable firewall rules something like: CH> /sbin/ipfw add allow udp from any to any isakmp via xl0 CH> /sbin/ipfw add allow esp from any to any via xl0 CH> /sbin/ipfw add deny all from any to any via xl0 CH> /sbin/ipfw add allow all from any to any CH> Communications fails. The thing is, I cant figure out why. there is a GOLD ipfw rule: /sbin/ipfw add 65000 deny log ip from any to any [via[xl0][dc0] - as you wish] ^^^ you add this rule and look at your log file Dmitry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message