Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 03 Apr 2003 08:41:40 -0000
From:      Borja Marcos <borjamar@sarenet.es>
To:        "Ben Pfountz" <netprince@vt.edu>
Cc:        freebsd-mobile@FreeBSD.ORG
Subject:   Re: Requireing IPsec on wi interface?
Message-ID:  <200301140921.19982.borjamar@sarenet.es>
In-Reply-To: <002301c2bb8e$0a85db90$6511a8c0@benspiece>
References:  <002301c2bb8e$0a85db90$6511a8c0@benspiece>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 14 January 2003 06:30, Ben Pfountz wrote:
> I noticed that when I upgraded to 4.7-STABLE, the kernel has changed th=
e
> way ipfw handles IPsec packets.  After IPsec processes the packets, it
> passes the packets to the firewall without the ESP flag set.  Before th=
e
> upgrade to 4.7-STABLE, I was using the firewall to prevent all but ESP
> packets on that interface.  Now, I cant figure out how to firewall all
> but IPsec packets on my wireless interface.  I would like to get IPsec
> going instead of wep, but I would need to somehow block non-ESP packets=
=2E
>  Anybody have any suggestions?

=09I have exactly the same problem. I upgraded my system to -STABLE and h=
ad=20
to go back to RELENG_4_7.

=09I think this is a serious problem. Packets coming through a tunnel sho=
uld=20
be seen in a different way than packets received at the interface.

=09Of course, with the old behavior, you always trust the packets you rec=
eive=20
through a tunnel, but I think the behavior currently implemented in=20
-STABLE is far worse; you cannot do this sort of configuration.

=09Protecting the interface with rules such as these has another importan=
t=20
advantage: it protects you from configuration errors. In case you forget=20
anything (or there is a problem with IPSec) you make sure that no=20
unencrypetd packets will leave the interface.

=09Would it be possible to have an added flag to ipfw rules identifying t=
he=20
tunnel, or something like that?


=09Borja.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301140921.19982.borjamar>