Date: Tue, 21 Jan 2003 08:50:03 -0700 From: Mike Durian <durian@boogie.com> To: "Crist J. Clark" <cjc@FreeBSD.ORG>, "Crist J. Clark" <crist.clark@attbi.com> Cc: Pekka Nikander <pekka.nikander@nomadiclab.com>, freebsd-net@FreeBSD.ORG Subject: Re: Question about IPsec and double ipfilter processing Message-ID: <200301210850.03390.durian@boogie.com> In-Reply-To: <20030121063451.GB37009@blossom.cjclark.org> References: <200301201731.49942.durian@boogie.com> <20030121063451.GB37009@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 20 January 2003 11:34 pm, Crist J. Clark wrote: > > I don't see this. I have one rule on my external interface, > > block in log quick on de0 all head 2000 > ... > pass in quick proto esp from any to 12.234.89.252/32 = =20 > group 2000 First, let me point out that I'm running -current (as of 2 days ago). I don't know if that is revelent to this discussion or not. The behavior you state is the behavior I was expecting and hoping for, but not what I experienced. When I study my ipmon and ipfstat output, I see the "pass esp" rule matching packets, but then I also see the decoded packets being dropped. I observed the same behavior when I was using ipfw instead of ipfilter. I am a bit surprised that the packet count is not the same for the ESP packets and the un-encapsulated packets. 41 @5 block in log quick on rl0 from 192.168.0.0/16 to any 27 @15 pass in quick on rl0 proto esp from 64.139.19.166/32 to 66.87.52.1= 32/32 > Obviously, I need a rule on the internal interface to let the > unecrypted traffic pass this interface. But since all of the > interesting filtering of traffic from the outside world happens on the > external interface, I my case the packets are being dropped on the outside interface, as show= n above. mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301210850.03390.durian>