From owner-freebsd-mobile Mon Jan 13 21:49:46 2003 Delivered-To: freebsd-mobile@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EB3337B401 for ; Mon, 13 Jan 2003 21:49:44 -0800 (PST) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AEEC43EB2 for ; Mon, 13 Jan 2003 21:49:43 -0800 (PST) (envelope-from netprince@vt.edu) Received: from steiner.cc.vt.edu (IDENT:mirapoint@steiner-lb.cc.vt.edu [10.1.1.14]) by lennier.cc.vt.edu (8.11.4/8.11.4) with ESMTP id h0E5neL435890 for ; Tue, 14 Jan 2003 00:49:40 -0500 (EST) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by steiner.cc.vt.edu (Mirapoint Messaging Server MOS 3.2.2-GA) with ESMTP id AXA83476; Tue, 14 Jan 2003 00:49:39 -0500 (EST) Received: (qmail 1447 invoked from network); 14 Jan 2003 05:51:42 -0000 Received: from bpfountz.princenet (HELO benspiece) (192.168.17.101) by digitalpimp.princenet with SMTP; 14 Jan 2003 05:51:42 -0000 Message-ID: <000701c2bb90$c7bbe5e0$6511a8c0@benspiece> From: "Ben Pfountz" To: References: <002301c2bb8e$0a85db90$6511a8c0@benspiece> Subject: Re: Requireing IPsec on wi interface? Date: Tue, 14 Jan 2003 00:50:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-mobile@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I forgot to mention that I had a rule allowing all packets leaving the machine, otherwise the ipfw statements below wouldn't ever work. Something like this near the beginning: # allow all packets leaving the system (outside, wired, and wireless) ${fwcmd} add allow all from any to any out xmit any I have turned on logging at the end of my ruleset, and it appears that after a packet passes the esp rule, it is accepted and then re-injected into the firewall at the start as a regular packet, without the esp flag. This is what is causing me the problems. I want to just accept all packets if they came through the IPsec layer, and block them if they didn't. Any suggestions? Thanks in advance! Ben ----- Original Message ----- From: "Ben Pfountz" To: Sent: Tuesday, January 14, 2003 12:30 AM Subject: Requireing IPsec on wi interface? > I just fixed my wi interface by upgrading to 4.7-STABLE. The upgrade was > required in order to prevent crashes caused by a nearby linksys access > point. (see the thread if you wish) > > I noticed that when I upgraded to 4.7-STABLE, the kernel has changed the way > ipfw handles IPsec packets. After IPsec processes the packets, it passes > the packets to the firewall without the ESP flag set. Before the upgrade to > 4.7-STABLE, I was using the firewall to prevent all but ESP packets on that > interface. Now, I cant figure out how to firewall all but IPsec packets on > my wireless interface. I would like to get IPsec going instead of wep, but > I would need to somehow block non-ESP packets. Anybody have any > suggestions? > > Here is what I used before: > > # incoming dhcp requests > ipfw add allow udp from any 68 to any 67 \ > in recv wi0 > > # allow esp key exchange in > ipfw add allow { tcp or udp } from ${LAN} to me 500 \ > in recv wi0 > > # allow encrypted data in > ipfw add allow { esp or ah } from ${LAN} to ${LAN} \ > in recv wi0 > > # default rule is to block all > > I heard you can block non-ipsec packets with the /etc/ipsec.conf file. That > would be acceptable, if I could figure out how to do it. Here is my > /etc/ipsec.conf file: > > # mini-ben-wl (winXP) > spdadd 0.0.0.0/0 192.168.17.106/32 ip4 -P out ipsec > esp/tunnel/192.168.17.100-192.168.17.106/require; > spdadd 192.168.17.106/32 0.0.0.0/0 ip4 -P in ipsec > esp/tunnel/192.168.17.106-192.168.17.100/require; > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-mobile" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-mobile" in the body of the message