From owner-freebsd-mobile Mon Jan 13 21:30:10 2003 Delivered-To: freebsd-mobile@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39F2F37B40B for ; Mon, 13 Jan 2003 21:30:09 -0800 (PST) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43F7A43ED8 for ; Mon, 13 Jan 2003 21:30:07 -0800 (PST) (envelope-from netprince@vt.edu) Received: from vivi.cc.vt.edu (IDENT:mirapoint@vivi-lb.cc.vt.edu [10.1.1.12]) by lennier.cc.vt.edu (8.11.4/8.11.4) with ESMTP id h0E5U3L399992 for ; Tue, 14 Jan 2003 00:30:03 -0500 (EST) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by vivi.cc.vt.edu (Mirapoint Messaging Server MOS 3.2.2-GA) with ESMTP id ARZ35146; Tue, 14 Jan 2003 00:30:02 -0500 (EST) Received: (qmail 999 invoked from network); 14 Jan 2003 05:32:05 -0000 Received: from bpfountz.princenet (HELO benspiece) (192.168.17.101) by digitalpimp.princenet with SMTP; 14 Jan 2003 05:32:05 -0000 Message-ID: <002301c2bb8e$0a85db90$6511a8c0@benspiece> From: "Ben Pfountz" To: Subject: Requireing IPsec on wi interface? Date: Tue, 14 Jan 2003 00:30:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-mobile@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I just fixed my wi interface by upgrading to 4.7-STABLE. The upgrade was required in order to prevent crashes caused by a nearby linksys access point. (see the thread if you wish) I noticed that when I upgraded to 4.7-STABLE, the kernel has changed the way ipfw handles IPsec packets. After IPsec processes the packets, it passes the packets to the firewall without the ESP flag set. Before the upgrade to 4.7-STABLE, I was using the firewall to prevent all but ESP packets on that interface. Now, I cant figure out how to firewall all but IPsec packets on my wireless interface. I would like to get IPsec going instead of wep, but I would need to somehow block non-ESP packets. Anybody have any suggestions? Here is what I used before: # incoming dhcp requests ipfw add allow udp from any 68 to any 67 \ in recv wi0 # allow esp key exchange in ipfw add allow { tcp or udp } from ${LAN} to me 500 \ in recv wi0 # allow encrypted data in ipfw add allow { esp or ah } from ${LAN} to ${LAN} \ in recv wi0 # default rule is to block all I heard you can block non-ipsec packets with the /etc/ipsec.conf file. That would be acceptable, if I could figure out how to do it. Here is my /etc/ipsec.conf file: # mini-ben-wl (winXP) spdadd 0.0.0.0/0 192.168.17.106/32 ip4 -P out ipsec esp/tunnel/192.168.17.100-192.168.17.106/require; spdadd 192.168.17.106/32 0.0.0.0/0 ip4 -P in ipsec esp/tunnel/192.168.17.106-192.168.17.100/require; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-mobile" in the body of the message