Date: Thu, 03 Apr 2003 08:41:40 -0000 From: Borja Marcos <borjamar@sarenet.es> To: "Ben Pfountz" <netprince@vt.edu> Cc: freebsd-mobile@FreeBSD.ORG Subject: Re: Requireing IPsec on wi interface? Message-ID: <200301140921.19982.borjamar@sarenet.es> In-Reply-To: <002301c2bb8e$0a85db90$6511a8c0@benspiece> References: <002301c2bb8e$0a85db90$6511a8c0@benspiece>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 14 January 2003 06:30, Ben Pfountz wrote: > I noticed that when I upgraded to 4.7-STABLE, the kernel has changed the > way ipfw handles IPsec packets. After IPsec processes the packets, it > passes the packets to the firewall without the ESP flag set. Before the > upgrade to 4.7-STABLE, I was using the firewall to prevent all but ESP > packets on that interface. Now, I cant figure out how to firewall all > but IPsec packets on my wireless interface. I would like to get IPsec > going instead of wep, but I would need to somehow block non-ESP packets. > Anybody have any suggestions? I have exactly the same problem. I upgraded my system to -STABLE and had to go back to RELENG_4_7. I think this is a serious problem. Packets coming through a tunnel should be seen in a different way than packets received at the interface. Of course, with the old behavior, you always trust the packets you receive through a tunnel, but I think the behavior currently implemented in -STABLE is far worse; you cannot do this sort of configuration. Protecting the interface with rules such as these has another important advantage: it protects you from configuration errors. In case you forget anything (or there is a problem with IPSec) you make sure that no unencrypetd packets will leave the interface. Would it be possible to have an added flag to ipfw rules identifying the tunnel, or something like that? Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301140921.19982.borjamar>