Date: Tue, 19 Nov 2002 20:24:28 +0100 From: Guido van Rooij <guido@gvr.org> To: Scott Ullrich <sullrich@CRE8.COM> Cc: David Kelly <dkelly@hiwaay.net>, 'Archie Cobbs' <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/ gif VPN tunnel packets on wrong NIC in ipfw?) Message-ID: <20021119192428.GC43631@gvr.gvr.org> In-Reply-To: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C57@exchange.corp.cre8.com> References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C57@exchange.corp.cre8.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 19, 2002 at 02:08:54PM -0500, Scott Ullrich wrote: > Guido, > > I am using a tunneling device (gif0). > > How are we supposed to fix the issue with your patch installed? If we need > to add more rules, that's fine but what would these rules be? Are they > before the divert? After the divert, etc? What divert? There should not be a need for a divert. If you have a gif tunnel for ESP (like I described in a mail I just sent): Let's examine the following situation: interfaces: fxp0, gif0 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 192.168.100.1 --> 192.168.100.2 inet 10.0.0.1 --> 10.0.1.1 netmask 0xffffff00 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255 Then suppose I have ESP betwee 10.0.0.1 and 10.0.1.1. Then you should have rules allowing IPSECed packets in and out of fxp0, rules allowing UDP traffic on port 500 in and out (ISAKMP) and rules in and out from the gif device for the unecrypted packets. You can use tcpdump to see what is on which interface. Let me state that I am not an ipfw developer. But if tcpdump shows a packet coming in or going out an interface, thehn ipfw should be able to filter that packet _on that interface_. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021119192428.GC43631>