From owner-freebsd-net  Sun Jan 13  9: 1:38 2002
Delivered-To: freebsd-net@freebsd.org
Received: from smtpzilla5.xs4all.nl (smtpzilla5.xs4all.nl [194.109.127.141])
	by hub.freebsd.org (Postfix) with ESMTP id C05C237B402
	for <net@freebsd.org>; Sun, 13 Jan 2002 09:01:34 -0800 (PST)
Received: from grand.canyon.xs4all.nl (canyon.xs4all.nl [194.109.195.185])
	by smtpzilla5.xs4all.nl (8.12.0/8.12.0) with ESMTP id g0DH1X3l018352
	for <net@freebsd.org>; Sun, 13 Jan 2002 18:01:33 +0100 (CET)
Received: by grand.canyon.xs4all.nl (Postfix, from userid 1000)
	id E37955FA9; Sun, 13 Jan 2002 18:01:32 +0100 (CET)
Received: from meander.tcja.nl (localhost [127.0.0.1])
	by grand.canyon.xs4all.nl (Postfix) with ESMTP id AC4E05DB2
	for <net@freebsd.org>; Sun, 13 Jan 2002 18:01:32 +0100 (CET)
Date: Sun, 13 Jan 2002 18:01:35 +0100
Mime-Version: 1.0 (Apple Message framework v480)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Subject: Filtering packets received through an ipsec tunnel 
From: Rene de Vries <rene@canyon.xs4all.nl>
To: net@freebsd.org
Content-Transfer-Encoding: 7bit
Message-Id: <3386757E-0847-11D6-882A-00039357FA7A@canyon.xs4all.nl>
X-Mailer: Apple Mail (2.480)
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hello,

> This message was already posted to hackers@freebsd.org, but with 
> limited success. I'm hoping that someone on net@freebsd.org can give me 
> some more information.

By experimenting with ipsec and looking at the source of "ip_input.c" a 
co-worker and I found the following out.

When a ipsec tunnel packet is received this (protocol 50/51) packet is 
passed through ip-filter (& co). After filtering and when it has been 
determent that the current host is the destination (tunnel end-point), 
this packet is decrypted/verified. The decrypted packet is then pushed 
back into the queue that leads to ip_input(...). So far so good....

But once in ip_input(...) the filtering code is skipped and we were 
wondering why.

I know that ipsec has some handles to be able to filter on address, 
protocol and/or port. But for more complex situations this is not 
enough. In these situations it would be nice to be able to use 
ip-filter (& co) on traffic from the tunnel (and also for traffic going 
into the tunnel).

I was wondering why this is implemented the way it is. Maybe someone on 
this list could shed a light on this?

Rene
--
Rene de Vries <rene@tcja.nl>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message