From owner-freebsd-mobile@FreeBSD.ORG Thu Apr 3 00:41:40 2003 Return-Path: Delivered-To: freebsd-mobile@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AD8737B401 for ; Thu, 3 Apr 2003 00:41:40 -0800 (PST) Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id C401543FAF for ; Thu, 3 Apr 2003 00:41:38 -0800 (PST) (envelope-from borjamar@sarenet.es) Received: from borja.sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.12.6/8.12.6) with ESMTP id h338fSxP067833; Thu, 3 Apr 2003 10:41:36 +0200 (CEST) (envelope-from borjamar@sarenet.es) Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: "Ben Pfountz" User-Agent: KMail/1.4.3 References: <002301c2bb8e$0a85db90$6511a8c0@benspiece> In-Reply-To: <002301c2bb8e$0a85db90$6511a8c0@benspiece> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200301140921.19982.borjamar@sarenet.es> cc: freebsd-mobile@FreeBSD.ORG Subject: Re: Requireing IPsec on wi interface? X-BeenThere: freebsd-mobile@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Mobile computing with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 03 Apr 2003 08:41:40 -0000 X-Original-Date: Tue, 14 Jan 2003 09:21:19 +0100 X-List-Received-Date: Thu, 03 Apr 2003 08:41:40 -0000 On Tuesday 14 January 2003 06:30, Ben Pfountz wrote: > I noticed that when I upgraded to 4.7-STABLE, the kernel has changed th= e > way ipfw handles IPsec packets. After IPsec processes the packets, it > passes the packets to the firewall without the ESP flag set. Before th= e > upgrade to 4.7-STABLE, I was using the firewall to prevent all but ESP > packets on that interface. Now, I cant figure out how to firewall all > but IPsec packets on my wireless interface. I would like to get IPsec > going instead of wep, but I would need to somehow block non-ESP packets= =2E > Anybody have any suggestions? =09I have exactly the same problem. I upgraded my system to -STABLE and h= ad=20 to go back to RELENG_4_7. =09I think this is a serious problem. Packets coming through a tunnel sho= uld=20 be seen in a different way than packets received at the interface. =09Of course, with the old behavior, you always trust the packets you rec= eive=20 through a tunnel, but I think the behavior currently implemented in=20 -STABLE is far worse; you cannot do this sort of configuration. =09Protecting the interface with rules such as these has another importan= t=20 advantage: it protects you from configuration errors. In case you forget=20 anything (or there is a problem with IPSec) you make sure that no=20 unencrypetd packets will leave the interface. =09Would it be possible to have an added flag to ipfw rules identifying t= he=20 tunnel, or something like that? =09Borja.