From owner-freebsd-net  Tue Jan 21  7:50:14 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6A91F37B401; Tue, 21 Jan 2003 07:50:13 -0800 (PST)
Received: from fever.boogie.com (cpe-66-87-52-132.co.sprintbbd.net [66.87.52.132])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 0426643F18; Tue, 21 Jan 2003 07:50:12 -0800 (PST)
	(envelope-from durian@boogie.com)
Received: from man.boogie.com (man.boogie.com [192.168.1.3])
	by fever.boogie.com (8.12.6/8.12.6) with ESMTP id h0LFo3S4009805;
	Tue, 21 Jan 2003 08:50:03 -0700 (MST)
	(envelope-from durian@boogie.com)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Mike Durian <durian@boogie.com>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>,
	"Crist J. Clark" <crist.clark@attbi.com>
Subject: Re: Question about IPsec and double ipfilter processing
Date: Tue, 21 Jan 2003 08:50:03 -0700
User-Agent: KMail/1.4.3
Cc: Pekka Nikander <pekka.nikander@nomadiclab.com>,
	freebsd-net@FreeBSD.ORG
References: <200301201731.49942.durian@boogie.com> <20030121063451.GB37009@blossom.cjclark.org>
In-Reply-To: <20030121063451.GB37009@blossom.cjclark.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200301210850.03390.durian@boogie.com>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Monday 20 January 2003 11:34 pm, Crist J. Clark wrote:
>
> I don't see this. I have one rule on my external interface,
>
>   block in log quick on de0 all                           head 2000
>     ...
>     pass  in     quick proto esp from any to 12.234.89.252/32          =
 =20
> group 2000

First, let me point out that I'm running -current (as of 2 days ago).
I don't know if that is revelent to this discussion or not.

The behavior you state is the behavior I was expecting and hoping for,
but not what I experienced.  When I study my ipmon and ipfstat output,
I see the "pass esp" rule matching packets, but then I also see the
decoded packets being dropped.  I observed the same behavior when
I was using ipfw instead of ipfilter.

I am a bit surprised that the packet count is not the same for the
ESP packets and the un-encapsulated packets.

41 @5 block in log quick on rl0 from 192.168.0.0/16 to any
27 @15 pass in quick on rl0 proto esp from 64.139.19.166/32 to 66.87.52.1=
32/32

> Obviously, I need a rule on the internal interface to let the
> unecrypted traffic pass this interface. But since all of the
> interesting filtering of traffic from the outside world happens on the
> external interface,

I my case the packets are being dropped on the outside interface, as show=
n
above.

mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message