Date: Thu, 03 Apr 2003 08:41:40 -0000 From: Borja Marcos <borjamar@sarenet.es> To: "Ben Pfountz" <netprince@vt.edu> Cc: freebsd-mobile@FreeBSD.ORG Subject: Re: Requireing IPsec on wi interface? Message-ID: <200301140921.19982.borjamar@sarenet.es> In-Reply-To: <002301c2bb8e$0a85db90$6511a8c0@benspiece> References: <002301c2bb8e$0a85db90$6511a8c0@benspiece>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 14 January 2003 06:30, Ben Pfountz wrote: > I noticed that when I upgraded to 4.7-STABLE, the kernel has changed th= e > way ipfw handles IPsec packets. After IPsec processes the packets, it > passes the packets to the firewall without the ESP flag set. Before th= e > upgrade to 4.7-STABLE, I was using the firewall to prevent all but ESP > packets on that interface. Now, I cant figure out how to firewall all > but IPsec packets on my wireless interface. I would like to get IPsec > going instead of wep, but I would need to somehow block non-ESP packets= =2E > Anybody have any suggestions? =09I have exactly the same problem. I upgraded my system to -STABLE and h= ad=20 to go back to RELENG_4_7. =09I think this is a serious problem. Packets coming through a tunnel sho= uld=20 be seen in a different way than packets received at the interface. =09Of course, with the old behavior, you always trust the packets you rec= eive=20 through a tunnel, but I think the behavior currently implemented in=20 -STABLE is far worse; you cannot do this sort of configuration. =09Protecting the interface with rules such as these has another importan= t=20 advantage: it protects you from configuration errors. In case you forget=20 anything (or there is a problem with IPSec) you make sure that no=20 unencrypetd packets will leave the interface. =09Would it be possible to have an added flag to ipfw rules identifying t= he=20 tunnel, or something like that? =09Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301140921.19982.borjamar>