Date: Tue, 14 Jan 2003 00:30:25 -0500 From: "Ben Pfountz" <netprince@vt.edu> To: <freebsd-mobile@FreeBSD.ORG> Subject: Requireing IPsec on wi interface? Message-ID: <002301c2bb8e$0a85db90$6511a8c0@benspiece>
next in thread | raw e-mail | index | archive | help
I just fixed my wi interface by upgrading to 4.7-STABLE. The upgrade was required in order to prevent crashes caused by a nearby linksys access point. (see the thread if you wish) I noticed that when I upgraded to 4.7-STABLE, the kernel has changed the way ipfw handles IPsec packets. After IPsec processes the packets, it passes the packets to the firewall without the ESP flag set. Before the upgrade to 4.7-STABLE, I was using the firewall to prevent all but ESP packets on that interface. Now, I cant figure out how to firewall all but IPsec packets on my wireless interface. I would like to get IPsec going instead of wep, but I would need to somehow block non-ESP packets. Anybody have any suggestions? Here is what I used before: # incoming dhcp requests ipfw add allow udp from any 68 to any 67 \ in recv wi0 # allow esp key exchange in ipfw add allow { tcp or udp } from ${LAN} to me 500 \ in recv wi0 # allow encrypted data in ipfw add allow { esp or ah } from ${LAN} to ${LAN} \ in recv wi0 # default rule is to block all I heard you can block non-ipsec packets with the /etc/ipsec.conf file. That would be acceptable, if I could figure out how to do it. Here is my /etc/ipsec.conf file: # mini-ben-wl (winXP) spdadd 0.0.0.0/0 192.168.17.106/32 ip4 -P out ipsec esp/tunnel/192.168.17.100-192.168.17.106/require; spdadd 192.168.17.106/32 0.0.0.0/0 ip4 -P in ipsec esp/tunnel/192.168.17.106-192.168.17.100/require; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-mobile" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002301c2bb8e$0a85db90$6511a8c0>