Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Jan 2002 13:34:29 +0100
From:      Alex Le Heux <alexlh@funk.org>
To:        Ari Suutari <ari.suutari@syncrontech.com>
Cc:        Rene de Vries <rene@canyon.xs4all.nl>, Kshitij Gunjikar <kshitijgunjikar@yahoo.com>, net@FreeBSD.ORG
Subject:   Re: Filtering packets received through an ipsec tunnel
Message-ID:  <20020115123429.GV75815@funk.org>
In-Reply-To: <200201151213.g0FCDbw92015@guinness.syncrontech.com>
References:  <E4E6F464-0917-11D6-AC08-00039357FA7A@canyon.xs4all.nl> <200201150733.g0F7Xww91320@guinness.syncrontech.com> <20020115121821.GU75815@funk.org> <200201151213.g0FCDbw92015@guinness.syncrontech.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Tue, Jan 15, 2002 at 02:22:17PM +0200, Ari Suutari wrote:
> Hi,
> 
> On Tuesday 15 January 2002 14:18, Alex Le Heux wrote:
> >  
> > > 	Maybe one could remove this, add 'ipsec' flag to ipfw 
> > > 	(which would use the above ipsec_gethist to match it)
> > > 	so the syntax would be something like this:
> > > 
> > > 	ipfw add pass tcp from a to b ipsec setup # matches only packets that 
> came 
> > > via ipsec stack
> > > 	ipfw add pass 50 from a to b # matches packets that didn't come via ipsec
> > 
> > [snip]
> > 
> > This looks like it would work for most situations.
> > 
> > What one would not be able to do this way is prevent spoofing. In an ideal
> > world I would also want to filter packets that come from the wrong tunnel.
> 
> 	But doesn't ipsec stack already take care of this ? I think (hope)
> 	that is doesn't process the packet if it is coming from wrong tunnel
> 	because the packet does not match the policy.

I'm not sure if it actually drops 'wrong' packets coming from the tunnel.
I'll see if I have some time soon to look into it.

Regards,

Alex Le Heux

-- 
"Although the force from the engine is a lot for a motorcycle, the Earth is
not impressed. The Motorcycle and I loose the 'F' and 'm' battle and have to
consume all the 'a' in the form of sheer unadulterated acceleration."
                                        - Ian Orr

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020115123429.GV75815>