From owner-freebsd-net  Mon Jan 14 23:42:55 2002
Delivered-To: freebsd-net@freebsd.org
Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19])
	by hub.freebsd.org (Postfix) with ESMTP id 1D3BD37B417
	for <net@FreeBSD.ORG>; Mon, 14 Jan 2002 23:42:52 -0800 (PST)
Received: from there (coffee.syncrontech.com [62.71.8.37])
	by guinness.syncrontech.com (8.11.1/8.11.1) with SMTP id g0F7Xww91320;
	Tue, 15 Jan 2002 09:33:58 +0200 (EET)
	(envelope-from ari.suutari@syncrontech.com)
Message-Id: <200201150733.g0F7Xww91320@guinness.syncrontech.com>
Content-Type: text/plain;
  charset="iso-8859-1"
From: Ari Suutari <ari.suutari@syncrontech.com>
To: Rene de Vries <rene@canyon.xs4all.nl>,
	"Kshitij Gunjikar" <kshitijgunjikar@yahoo.com>
Subject: Re: Filtering packets received through an ipsec tunnel
Date: Tue, 15 Jan 2002 09:42:37 +0200
X-Mailer: KMail [version 1.3.2]
Cc: net@FreeBSD.ORG
References: <E4E6F464-0917-11D6-AC08-00039357FA7A@canyon.xs4all.nl>
In-Reply-To: <E4E6F464-0917-11D6-AC08-00039357FA7A@canyon.xs4all.nl>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hi,

On Monday 14 January 2002 19:55, Rene de Vries wrote:
> Kshitij,
> A good solution, from my point of view, would be, instead of passing 
> evering thing from an ipsec tunnel, using ip-filter (&co, but without 
> dummyet) on emerging packets. These packets should then have a different 
> interface or a special flag for easy testing in ip-filter (&co).
> I don't know what the best solution would be, extending ip-filter with 
> an extra flag or adding a special (dummy) interface. My gut feeling is a 
> special flag makes more sense, but will break current ip-filter/ipfw 
> syntax/configurations.
> 

	This kind of flag might be easy to add to ipfw, I think.
	Currently, in ip_input there is:

	if (ipsec_gethist(m, NULL)
		goto pass;

	Maybe one could remove this, add 'ipsec' flag to ipfw 
	(which would use the above ipsec_gethist to match it)
	so the syntax would be something like this:


	ipfw add pass tcp from a to b ipsec setup # matches only packets that came 
via ipsec stack
	ipfw add pass 50 from a to b # matches packets that didn't come via ipsec

	I think that this would be much cleaner than fake interfaces
	most implementations seem to use.

		Ari S.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message