From owner-freebsd-stable  Tue Nov 19 11:24:36 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 30AE037B401
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 11:24:35 -0800 (PST)
Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4A67443E75
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 11:24:33 -0800 (PST)
	(envelope-from guido@gvr.org)
Received: by gvr.gvr.org (Postfix, from userid 657)
	id EB3D329B; Tue, 19 Nov 2002 20:24:28 +0100 (CET)
Date: Tue, 19 Nov 2002 20:24:28 +0100
From: Guido van Rooij <guido@gvr.org>
To: Scott Ullrich <sullrich@CRE8.COM>
Cc: David Kelly <dkelly@hiwaay.net>,
	'Archie Cobbs' <archie@dellroad.org>,
	"'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>,
	FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/ gif VPN tunnel packets on wrong NIC in ipfw?)
Message-ID: <20021119192428.GC43631@gvr.gvr.org>
References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C57@exchange.corp.cre8.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C57@exchange.corp.cre8.com>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Tue, Nov 19, 2002 at 02:08:54PM -0500, Scott Ullrich wrote:
> Guido, 
> 
> I am using a tunneling device (gif0).
> 
> How are we supposed to fix the issue with your patch installed?  If we need
> to add more rules, that's fine but what would these rules be?  Are they
> before the divert?  After the divert, etc?

What divert? There should not be a need for a divert.

If you have a gif tunnel for ESP (like I described in a mail I just
sent):
Let's examine the following situation:
interfaces: fxp0, gif0

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 192.168.100.1 --> 192.168.100.2 
        inet 10.0.0.1 --> 10.0.1.1 netmask 0xffffff00

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255

Then suppose I have ESP betwee 10.0.0.1 and 10.0.1.1.

Then you should have rules allowing IPSECed packets in and out of
fxp0, rules allowing UDP traffic on port 500 in and out (ISAKMP)
and rules in and out from the gif device for the unecrypted packets.

You can use tcpdump to see what is on which interface.

Let me state that I am not an ipfw developer. But if tcpdump shows
a packet coming in or going out an interface, thehn ipfw should
be able to filter that packet _on that interface_.

-Guido

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message