From owner-freebsd-stable  Tue Nov 19 12:35:55 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AACFB37B401
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 12:35:53 -0800 (PST)
Received: from rerun.avayactc.com (rerun.avayactc.com [199.93.237.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9534043E77
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 12:35:52 -0800 (PST)
	(envelope-from mcambria@avaya.com)
Received: by rerun.avayactc.com with Internet Mail Service (5.5.2653.19)
	id <V8Q3PKG0>; Tue, 19 Nov 2002 15:35:50 -0500
Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7E4EF41@rerun.avayactc.com>
From: "Cambria, Mike" <mcambria@avaya.com>
To: 'Guido van Rooij' <guido@gvr.org>,
	Scott Ullrich <sullrich@CRE8.COM>
Cc: David Kelly <dkelly@hiwaay.net>,
	'Archie Cobbs' <archie@dellroad.org>,
	"'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>,
	FreeBSD-stable@FreeBSD.ORG
Subject: RE: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/
	 gif VPN tunnel packets on wrong NIC in ipfw?)
Date: Tue, 19 Nov 2002 15:35:49 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="ISO-8859-1"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG



> -----Original Message-----
> From: Guido van Rooij [mailto:guido@gvr.org]
> 
> I think having either esp0 as a catch all device, or having a 
> pseudo-interface
> per physical interface (e.g. fxp_esp<n> for fxp<n>) is the 
> solution, where
> I'd vote for the second one. Reason for that vote: i you only can
> filter on esp0 you cant retrieve the original interface and you
> might end up having to allow spoofed packets in.

I too like the later case.  I use tunnel mode and not gif.

Somewhere between 4.6-Stable and 4.7-Stable I needed to add 
rules to ipfw to allow traffic inside my tunnel to pass.  I like the idea 
of running ipfw on traffic after it leaves an IPsec tunnel.

But at the momemt, I have a "hole" in my fules that will let packet 
to 172.16.0.0 in.

MikeC

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message