Date: Fri, 01 Dec 2000 08:21:45 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Gerhard Sittig <Gerhard.Sittig@gmx.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: filtering ipsec traffic Message-ID: <200012011622.eB1GMMO48317@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 30 Nov 2000 18:26:28 %2B0100." <20001130182628.P27042@speedy.gsinet>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20001130182628.P27042@speedy.gsinet>, Gerhard Sittig writes: > On Wed, Nov 29, 2000 at 18:57 +0100, Gerhard Sittig wrote: > > > > Am I wrong thinking that one already has these four hooks > > available? (Sorry, I haven't toyed with IPsec yet.) > > > > [ ... ] > > > > And the way out is similar with a chain of > > app -> enc0 -> IPsec -> tun0 -> wire > > Woops, forget the above, please! :) I must have been asleep and > was confusing this with OpenBSD. Let me cite from their manpages > (sorry, don't have a running system around here so I will UTSL :) > -- feel free to read the online manpages at www.CC.freebsd.org in > your preferred output format). > > ----- ipsec(4) -------------------------------------------------- > ... > For example: > .Bd -literal -offset indent > Net A <----> Firewall 1 <--- Internet ---> Firewall 2 <----> Net B > .Ed > .Pp > Firewall 1 and Firewall 2 can protect all communications between Net A > and Net B by using > .Tn IPsec > in tunnel mode, as illustrated above. > .Pp > This implementation makes use of a virtual interface > .Nm enc0 , > which can be used in packet filters to specify those > packets that have been or will be processed by > .Tn IPsec. > ... > ----------------------------------------------------------------- > > ----- enc(4) ---------------------------------------------------- > ... > .Sh SYNOPSIS > .Cd "pseudo-device enc 4" > .Sh DESCRIPTION > The > .Nm > interface is a software loopback mechanism that allows hosts or > firewalls to filter > .Xr ipsec 4 > traffic using > .Xr ipf 5 . > The > .Xr vpn 8 > manpage shows an example of such a setup. > ... > ----------------------------------------------------------------- > > Maybe that's something FreeBSD wants to have, too? I don't see a > difference in which filter gets the packet once is enters / > leaves the IPsec functionality block and feel the mention of > ipf(5) -- why 5, not 8 or 4? -- to come from the fact that it's > OpenBSD's native filter. This sounds like pretty handy feature. You can do the same thing with an IP-IP tunnel through the IPSec tunnel. Then you can just filter on the tun0 interface. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012011622.eB1GMMO48317>