Date: Thu, 21 Nov 2002 10:09:38 +0100 From: Guido van Rooij <guido@gvr.org> To: Helge Oldach <freebsd-stable-21nov02@oldach.net> Cc: archie@dellroad.org, dkelly@HiWAAY.net, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <20021121090938.GC96801@gvr.gvr.org> In-Reply-To: <200211210811.gAL8BALI080518@sep.oldach.net> References: <20021120124332.GD47298@gvr.gvr.org> <200211210811.gAL8BALI080518@sep.oldach.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 21, 2002 at 09:11:10AM +0100, Helge Oldach wrote: > ACK. Note that this emulates behaviour of commercial IPSec > implementations. For example, on Cisco IOS boxes the input access list > (roughly a subset of ipfw) are checked twice - once for the original > packet and once for the de-capsulated packet. This holds for tunnel mode > as well as for transport mode. That seems a security hole to me. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021121090938.GC96801>