From owner-freebsd-stable  Tue Nov 19 11:42: 9 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0608037B404
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 11:42:06 -0800 (PST)
Received: from exchange.corp.cre8.com (ns.cre8.com [216.135.81.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A98C3441A6
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 11:40:27 -0800 (PST)
	(envelope-from sullrich@CRE8.COM)
Received: by exchange.corp.cre8.com with Internet Mail Service (5.5.2653.19)
	id <4G1JKVXT>; Tue, 19 Nov 2002 14:48:09 -0500
Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C5B@exchange.corp.cre8.com>
From: Scott Ullrich <sullrich@CRE8.COM>
To: 'Guido van Rooij' <guido@gvr.org>,
	Scott Ullrich <sullrich@CRE8.COM>
Cc: David Kelly <dkelly@hiwaay.net>,
	'Archie Cobbs' <archie@dellroad.org>,
	"'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>,
	FreeBSD-stable@FreeBSD.ORG
Subject: RE: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/
	 gif VPN tunnel packets on wrong NIC in ipfw?)
Date: Tue, 19 Nov 2002 14:48:08 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

I need the divert rule for NATD.

-Scott

-----Original Message-----
From: Guido van Rooij [mailto:guido@gvr.org] 
Sent: Tuesday, November 19, 2002 2:24 PM
To: Scott Ullrich
Cc: David Kelly; 'Archie Cobbs'; 'greg.panula@dolaninformation.com';
FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/
gif VPN tunnel packets on wrong NIC in ipfw?)


On Tue, Nov 19, 2002 at 02:08:54PM -0500, Scott Ullrich wrote:
> Guido,
> 
> I am using a tunneling device (gif0).
> 
> How are we supposed to fix the issue with your patch installed?  If we 
> need to add more rules, that's fine but what would these rules be?  
> Are they before the divert?  After the divert, etc?

What divert? There should not be a need for a divert.

If you have a gif tunnel for ESP (like I described in a mail I just
sent):
Let's examine the following situation:
interfaces: fxp0, gif0

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 192.168.100.1 --> 192.168.100.2 
        inet 10.0.0.1 --> 10.0.1.1 netmask 0xffffff00

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255

Then suppose I have ESP betwee 10.0.0.1 and 10.0.1.1.

Then you should have rules allowing IPSECed packets in and out of fxp0,
rules allowing UDP traffic on port 500 in and out (ISAKMP) and rules in and
out from the gif device for the unecrypted packets.

You can use tcpdump to see what is on which interface.

Let me state that I am not an ipfw developer. But if tcpdump shows a packet
coming in or going out an interface, thehn ipfw should be able to filter
that packet _on that interface_.

-Guido

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message