Date: Thu, 22 Mar 2001 04:10:29 +0900 From: itojun@iijlab.net To: Mike Harding <mvh@ix.netcom.com> Cc: freebsd-security@freebsd.org Subject: Re: IPSEC/VPN/NAT and filtering Message-ID: <10518.985201829@coconut.itojun.org> In-Reply-To: mvh's message of Wed, 21 Mar 2001 08:36:57 PST. <20010321163657.D0333113CB1@netcom1.netcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>My modest proposal would be to have a sysctl variable to indicate an >alternate interface to reinject the decrypted packets (like a local >loopback, the default or maybe a new one, lo1). Then you know that >anything coming in that interface was inserted by the KAME stack and >you can apply filtering to it. This would allow firewall and IPSEC >gateway functionality to be put into the same box. strong no to changing m->m_pkthdr.rcvif on IPsec tunnel operations. that behavior will kill scoped addresses, as well as recently- discussed-to-death strong host model node. see latest NetBSD source code tree, and the following URL, on how we handled it (now ipfilter looks at wire format packet only). i have no environment/time to do the same on freebsd, but i can say that the foundations are there in kame and netbsd tree. (you can check if the packet went throught ip sec on inbound, by using ipsec_gethist()) http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10518.985201829>