From owner-freebsd-stable Thu Nov 21 7:39:23 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15F0A37B401 for ; Thu, 21 Nov 2002 07:39:21 -0800 (PST) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54EE743E6E for ; Thu, 21 Nov 2002 07:39:20 -0800 (PST) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.6/8.12.6) with ESMTP id gALFdJgx058164; Thu, 21 Nov 2002 09:39:19 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.6/8.12.6/Submit) id gALFdIIg058163; Thu, 21 Nov 2002 09:39:18 -0600 (CST) Date: Thu, 21 Nov 2002 09:39:18 -0600 From: David Kelly To: "Patrick M. Hausen" Cc: Helge Oldach , archie@dellroad.org, guido@gvr.org, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <20021121153918.GA58136@grumpy.dyndns.org> References: <20021121145332.GA57883@grumpy.dyndns.org> <200211211504.gALF4Sej086710@hugo10.ka.punkt.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200211211504.gALF4Sej086710@hugo10.ka.punkt.de> User-Agent: Mutt/1.4i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Nov 21, 2002 at 04:04:28PM +0100, Patrick M. Hausen wrote: > > > Other than my decrypted packets have started appearing to ipfw as if > > they were coming from fxp1 (which is what started this mess) everything > > else is working just fine. > > It is only filtering the decrypted packets that I'm talking about > all the time. It's impossible to build a filter that says: > > - ESP from my peer is OK > - 10... to 192.168... is OK if it's coming out of the ESP tunnel > - 10... to 192.168... is _not_ OK if it's coming in my external IF > in plain text > > If you want to allow the derypted traffic in, you have to allow all > traffic with identical addresses, even if it hasn't arrived > through the ESP tunnel but just came to the outside IF of your > network by some other route. I understand now. I can say ESP to/from my peer is OK. I can't (with ipfw) say my private addresses are OK if via ESP, have to trust that setkeys and the kernel IPsec stuff isn't allowing anything but. Until decrypted packets started appearing to ipfw as if they came from the IF they tunneled in via ESP, I could protect my external IF. An esp0 or ipsec0 device would provide the handle ipfw needs. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message