From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 19 03:31:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B2B937B401; Thu, 19 Jun 2003 03:31:52 -0700 (PDT) Received: from cocoa.syncrontech.com (cocoa-e0.syncrontech.com [62.71.8.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0737243FB1; Thu, 19 Jun 2003 03:31:49 -0700 (PDT) (envelope-from ari.suutari@syncrontech.com) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19])h5JAVgsV090939; Thu, 19 Jun 2003 13:31:46 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37]) h5JAVek6097316; Thu, 19 Jun 2003 13:31:41 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) From: Ari Suutari Organization: Syncron Tech Oy To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Date: Thu, 19 Jun 2003 13:31:40 +0300 User-Agent: KMail/1.5.2 MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_MEZ8+8qZ+4wqeHL" Message-Id: <200306191331.40421.ari.suutari@syncrontech.com> X-Scanned-By: MIMEDefang 2.24 (www . roaringpenguin . com / mimedefang) X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: patches for ipsec packet filtering support in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 10:31:53 -0000 --Boundary-00=_MEZ8+8qZ+4wqeHL Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, Here are two small patches (done on 5.1-RELEASE, but should be ok for -current also) which add new "ipsec" flag to ipfw2. Rules with this flag match only packets that have ipsec history (ie. came from ipsec processing). Rules with "not ipsec" match only non-ipsec packets. Without the new keyword, both types of packets match (as before). To try these out, apply the patches, and compile kernel with options IPFIREWALL options IPSEC options IPSEC_ESP options IPSEC_FILTERGIF Also, recompile /usr/src/sbin/ipfw and install it. With the new flag it is possible easily to stop spoofing from RFC1918 networks, but allow traffic from those nets if it is coming from IPsec: ipfw add deny all from 192.168.0.0/16 to any via ${oif} not ipsec ipfw add pass tcp from 192.168.x.y/24 to a.b.c.d 23 ipsec setup This example drops spoofed packets, but allows telnet connection *if* the packet comes via ipsec. My testing has been done on 5.1-RELEASE machine. It seems to work, and it didn't crash anything. I hope that this flag is useful to others too, maybe someone could get it committed into -current ? Ari S. Lappeenranta, Finland --Boundary-00=_MEZ8+8qZ+4wqeHL--