From owner-freebsd-stable Wed Nov 27 12: 0:59 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA8CE37B401 for ; Wed, 27 Nov 2002 12:00:57 -0800 (PST) Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id A735A43E9C for ; Wed, 27 Nov 2002 12:00:56 -0800 (PST) (envelope-from borjamar@sarenet.es) Received: from nenuial.arnor.es (localhost [127.0.0.1]) by borja.sarenet.es (8.12.6/8.12.6) with ESMTP id gARK0twf070537 for ; Wed, 27 Nov 2002 21:00:55 +0100 (CET) (envelope-from borjamar@sarenet.es) Content-Type: text/plain; charset="us-ascii" From: Borja Marcos To: freebsd-stable@freebsd.org Subject: New ipfw+IPSEC behavior Date: Wed, 27 Nov 2002 21:00:54 +0100 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200211272100.54796.borjamar@sarenet.es> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG =09Hello, =09I have just upgraded from RELENG_4_7 to -STABLE and found a behavior c= hange=20 between IPSec and IPFW. =09The previous system did not apply IPFW rules to packets after being ex= tracted=20 from a tunnel, and it seems that this behavior has changed. =09I know that tunnels had a problem: you could not filter anything comin= g=20 through the tunnel, but that behavior had some advantages. Perhaps a=20 compromise would be great. =09In my case, I am using IPsec in a wireless network. Now I have two mac= hines,=20 with one in hostap mode. The ipfw rules are configured like this: add 200 allow udp from 192.168.2.0/24 500 to me 500 via wi0 add 210 allow udp from me 500 to 192.168.2.0/24 500 via wi add 300 allow esp from 192.168.2.0/24 to me via wi0 add 310 allow esp from me to 192.168.2.0/24 via wi0 add 400 deny log all from any to any via wi0 =09This may seem odd, but it is very effective. It completely blocks traf= fic=20 from the wi interface unless it is IKE traffic or ESP. The advantages? =091 - A wardriver cannot "touch" your machine unless he/she can succesfu= lly set=20 up a tunnel, guessing the IKE pre-shared key or exploiting a vulnerabilit= y in=20 racoon. =092 - You are protected from configuration errors. If, for whatever reas= on,=20 unencrypted traffic "tries" to leave of reach the interface, it will not=20 pass. Moreover, you can see it in the system log. =09Any ideas? It would be great to keep this behavior. Perhaps as an opti= on? =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message