From owner-freebsd-security@FreeBSD.ORG Sun Jun 1 06:28:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56EF637B401 for ; Sun, 1 Jun 2003 06:28:30 -0700 (PDT) Received: from saul.cis.upenn.edu (SAUL.CIS.UPENN.EDU [158.130.12.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 494BC43FE3 for ; Sun, 1 Jun 2003 06:27:09 -0700 (PDT) (envelope-from agoodloe@saul.cis.upenn.edu) Received: from saul.cis.upenn.edu (localhost [127.0.0.1]) by saul.cis.upenn.edu (8.12.9/8.12.9) with ESMTP id h51DR7mV028465 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 1 Jun 2003 09:27:08 -0400 (EDT) Received: from localhost (agoodloe@localhost)h51DR72x028461; Sun, 1 Jun 2003 09:27:07 -0400 (EDT) Date: Sun, 1 Jun 2003 09:27:06 -0400 (EDT) From: Alwyn Goodloe To: Nielsen In-Reply-To: <20030530195629.2282B3FF312@mail.npubs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@FreeBSD.ORG Subject: Re: IP SEC filtering issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2003 13:28:30 -0000 Thanks for your advice. Alwyn On Fri, 30 May 2003, Nielsen wrote: > >From experience I've found you have to break these things up on > different machines. I don't have an intimate knowledge of how and when > the IPSEC processing gets done it the kernel, and maybe if someone did > they could figure out how and if you could do all of this on single > machines. > > But in our case, we break down the tasks between machines (traffic > splitter, ipsec processing, etc...) and it works like a charm. It's > also *much* easier to figure out what's wrong, heh. The machines don't > have to be powerful. > > Nate > > ----- Original Message ----- > From: "Alwyn Goodloe" > To: > Sent: Wednesday, May 28, 2003 14:44 > Subject: IP SEC filtering issue > > > > First thing to note is that I am using FreeBSD 4.8 . > > > > We would like to send only the syn packet of a tcp connection > through > > certain ipsec tunnels and the rest of the packets in a connection > though > > a simple transport mode setup. Yeah, I know it's strange but what > can I > > say -- we do a lot of strange things. From the best I can tell, the > > setkey/spadd filtering capability isn't sophisticated enough to > detect > > syn packets. Since ipfw does do this sort of thing we can use this > to > > filter out the syn packet and using divert sockets (we have a lot > of > > experience at writing divert sockets) we can put a wrapper > > around it so that it goes to a particular port. Since ip sec can > filter on > > ports, we can just filter that out. The process should look > something > > like: > > > > > > > > syn ---> diverted and wrapped to head for port X ----> > > ipsec filters on port X sends it into tunnel ......... > > > > > > ........... ipsec does its thing ---> divert socket unwraps ---> > sends > > the packet on its way (not passing though ip sec again). > > > > > > > > The divert socket solution seems to work fine on the sending side, > but > > there seems to be problems on the receiving side. I suspect that > ipfw is > > looking at the packet before ipsec or some such thing. I know that > there > > were postings about the interaction of ipfw and ipsec and that some > of > > these were going to be fixed in 4.8. > > > > If any of you know of a way to get ipsec to filter on syn packets > let me > > know. If you have ever tried to get divert sockets and ip sec > working at > > the same time let me know the secret. I suspect I'm just going to > have > > to hack the ipsec filter to get it to filter on syn packets. Any > ideas as > > to how hard this will be > > > > > > Alwyn Goodloe > > > > agoodloe@saul.cis.upenn.edu > > > > > > > > > > > > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >