Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Dec 2000 09:23:58 +0200 (IST)
From:      Roman Shterenzon <roman@xpert.com>
To:        Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc:        Dominick LaTrappe <seraf@2600.COM>, <freebsd-security@FreeBSD.ORG>
Subject:   Re: filtering ipsec traffic 
Message-ID:  <Pine.LNX.4.30.0012070921180.7070-100000@jamus.xpert.com>
In-Reply-To: <200011291519.eATFJSN20826@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 29 Nov 2000, Cy Schubert - ITSD Open Systems Group wrote:

> In message <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>,
> Dominick
>  LaTrappe writes:
> > It seems that, on the way in, ipfilter on FreeBSD gets packets before KAME
> > does, and on the way out, after.  This limits ipfilter to inspecting
> > traffic from IPsec peers on on layer 3 only.  Since I see no
> > packet-filtering mechanism in KAME itself, this presents a severe
> > limitation, namely that I must trust my IPsec peers enough for their
> > traffic to bypass any layer-4 filters.
> >
> > Is there some way to give ipfilter two passes, pre-KAME and post-KAME?
> > The even better fix, I suppose, would be to have 4 ipfilter rulesets
> > instead of 2 -- pre-KAME in, pre-KAME out, post-KAME in, post-KAME out.
> >
> > In the mean time, I'm using tcpwrappers as a last-line-of-defense where I
> > can, but it's not enough.
>
> Looking at the source, I don't see any references to IPFW either,
> meaning this is not a simple copy-the-code change.
>
> One option would be to set up a point-to-point IPSec tunnel between the
> two gateways, then use an IP tunnel within it.   Alternatively you
> could pipsecd which sets up an IPSec tunnel and defines a tun
> interface, which can be filtered using IP Filter or IPFW.

Sorry for late reply;
Then you'll have to bear in mind that everything is done in the userspace,
thus limiting it to low traffic cases. (Does it need two cs per packet, or
more?)

Perpaps it is the "move code" from here to there?
May it be possible to make ipf pass before KAME in both directions, or I'm
completely missing the point?

--Roman Shterenzon, UNIX System Administrator and Consultant
[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0012070921180.7070-100000>