Date: Tue, 14 Jan 2003 00:50:01 -0500 From: "Ben Pfountz" <netprince@vt.edu> To: <freebsd-mobile@FreeBSD.ORG> Subject: Re: Requireing IPsec on wi interface? Message-ID: <000701c2bb90$c7bbe5e0$6511a8c0@benspiece> References: <002301c2bb8e$0a85db90$6511a8c0@benspiece>
next in thread | previous in thread | raw e-mail | index | archive | help
I forgot to mention that I had a rule allowing all packets leaving the
machine, otherwise the ipfw statements below wouldn't ever work. Something
like this near the beginning:
# allow all packets leaving the system (outside, wired, and wireless)
${fwcmd} add allow all from any to any out xmit any
I have turned on logging at the end of my ruleset, and it appears that after
a packet passes the esp rule, it is accepted and then re-injected into the
firewall at the start as a regular packet, without the esp flag. This is
what is causing me the problems. I want to just accept all packets if they
came through the IPsec layer, and block them if they didn't.
Any suggestions?
Thanks in advance!
Ben
----- Original Message -----
From: "Ben Pfountz" <netprince@vt.edu>
To: <freebsd-mobile@FreeBSD.ORG>
Sent: Tuesday, January 14, 2003 12:30 AM
Subject: Requireing IPsec on wi interface?
> I just fixed my wi interface by upgrading to 4.7-STABLE. The upgrade was
> required in order to prevent crashes caused by a nearby linksys access
> point. (see the thread if you wish)
>
> I noticed that when I upgraded to 4.7-STABLE, the kernel has changed the
way
> ipfw handles IPsec packets. After IPsec processes the packets, it passes
> the packets to the firewall without the ESP flag set. Before the upgrade
to
> 4.7-STABLE, I was using the firewall to prevent all but ESP packets on
that
> interface. Now, I cant figure out how to firewall all but IPsec packets
on
> my wireless interface. I would like to get IPsec going instead of wep,
but
> I would need to somehow block non-ESP packets. Anybody have any
> suggestions?
>
> Here is what I used before:
>
> # incoming dhcp requests
> ipfw add allow udp from any 68 to any 67 \
> in recv wi0
>
> # allow esp key exchange in
> ipfw add allow { tcp or udp } from ${LAN} to me 500 \
> in recv wi0
>
> # allow encrypted data in
> ipfw add allow { esp or ah } from ${LAN} to ${LAN} \
> in recv wi0
>
> # default rule is to block all
>
> I heard you can block non-ipsec packets with the /etc/ipsec.conf file.
That
> would be acceptable, if I could figure out how to do it. Here is my
> /etc/ipsec.conf file:
>
> # mini-ben-wl (winXP)
> spdadd 0.0.0.0/0 192.168.17.106/32 ip4 -P out ipsec
> esp/tunnel/192.168.17.100-192.168.17.106/require;
> spdadd 192.168.17.106/32 0.0.0.0/0 ip4 -P in ipsec
> esp/tunnel/192.168.17.106-192.168.17.100/require;
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-mobile" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-mobile" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c2bb90$c7bbe5e0$6511a8c0>