From owner-freebsd-stable  Fri Oct 26  3:48:48 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from sofia.fio.cz (sf-wall.fio.cz [195.250.140.9])
	by hub.freebsd.org (Postfix) with ESMTP id D4FE937B405
	for <stable@freebsd.org>; Fri, 26 Oct 2001 03:48:44 -0700 (PDT)
X-Envelope-From: vita@fio.cz
Received: from vita.private.fio.cz (vita.private.fio.cz [10.0.4.41])
	by sofia.fio.cz (8.11.6/8.11.1) with ESMTP id f9QAmcm47818;
	Fri, 26 Oct 2001 12:48:38 +0200 (CEST)
	(envelope-from vita@fio.cz)
Message-ID: <XFMail.20011026124838.vita@fio.cz>
X-Mailer: XFMail 1.5.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <20011026021302.5EE59134D2@netcom1.netcom.com>
Date: Fri, 26 Oct 2001 12:48:38 +0200 (CEST)
Organization: FIO holding
From: vita@fio.cz
To: Mike Harding <mvh@ix.netcom.com>, stable@freebsd.org
Subject: Re: IPFW/IPSEC/NAT interaction issues with 4.4, Bug ???
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


On 26-Oct-2001 Mike Harding wrote:
> 
> This is a feature - if you don't do this, you can't tell decapsulated
> traffic from raw traffic.  That was the old config.  If you have a
> router, you can filter on the inside interface.  I suggested inserting
> the traffic on a fake interface so you could do more interesting
> things like NAT, better filtering, etc, but some KAME folk seemed to
> get very upset about this, although I couldn't follow the reasoning...
> 
> - Mike H.



Do you mean that "because firewall can't tell decapsulated traffic from raw
traffic, firewall is skipped for decapsulated packets" ?


Yes, I can filter on the inside interface, but what about NAT?
natd must run on the outside interface.

I see only one solution for my configuration -  skip nat divert for packets
outgoing from 10/8 net and they should be esp ecapsulated and
configure the opposite host to process packets going back with a 10.x.x.x
destination address some way. 

But if I want to communnicate by esp with a host which I can't
configure I'm lost because it will not like my packets from 10/8 net.


vita






To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message