From owner-freebsd-net  Thu Nov 30  2:28:35 2000
Delivered-To: freebsd-net@freebsd.org
Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69])
	by hub.freebsd.org (Postfix) with ESMTP id 80F5437B400
	for <freebsd-net@FreeBSD.ORG>; Thu, 30 Nov 2000 02:28:33 -0800 (PST)
Received: from localhost (jan@localhost)
	by pogo.caustic.org (8.11.0/ignatz) with ESMTP id eAUASMD30310;
	Thu, 30 Nov 2000 02:28:22 -0800 (PST)
Date: Thu, 30 Nov 2000 02:28:22 -0800 (PST)
From: "f.johan.beisser" <jan@caustic.org>
To: itojun@iijlab.net
Cc: Dominick LaTrappe <seraf@2600.COM>, freebsd-net@FreeBSD.ORG,
	Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	Gerhard Sittig <Gerhard.Sittig@gmx.net>
Subject: Re: filtering ipsec traffic (fwd)
In-Reply-To: <20718.975566409@coconut.itojun.org>
Message-ID: <Pine.BSF.4.21.0011300211200.9930-100000@pogo.caustic.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 30 Nov 2000 itojun@iijlab.net wrote:

> 	there are couple of ways to make it better:
> 	- enhance packet filters so that we can differentiate between multiple
> 	  filtering points (make it possible to specify "this filter should
> 	  be applied here"). 

couldn't you just add a set of commands in IPFW to recognise IPSec
packets?

this may not work, right off the bat, since the packet has passed through
the filterset already, but, i don't see why it couldn't be recognised
right off hand..

	1. the IP packet comes in.
	2. it passes through filterset A (NAT, etc)
	3. the Packet either matches IPSec (AH/ESP flags are set)
	4. if it matches, it is forwarded to filterset B.
	5. packet now is set through alternate ruleset.

this does slow things down a bit, but it allows for some more fine grained
filtering.

within IPFilter you can set match rules, i don't know how difficult it
would be to set them to recognise IPSec packets.

	If you match this flag, then jump to rule set XXXX.


i think that's about the best solution i can think of, at 2:30 in the
morning..

tear it apart.




-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan@caustic.org
   "Never laugh at someone until you've walked a mile in their
         shoes. Then laugh. For you are a mile away, and
                      you have their shoes."




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message