Date: Mon, 20 Jan 2003 17:31:49 -0700 From: Mike Durian <durian@boogie.com> To: Pekka Nikander <pekka.nikander@nomadiclab.com> Cc: freebsd-net@freebsd.org Subject: Question about IPsec and double ipfilter processing Message-ID: <200301201731.49942.durian@boogie.com>
next in thread | raw e-mail | index | archive | help
I was looking through the FreeBSD mailing list archives trying to figure out why ipfilter is filtering on both encapsulated ESP packets and the decrypted packets (NetBSD says it should only filter on the line packets)= , when I saw a relevent posting. It looks like other people are frustrated= by this double processing too. In a message Pekka Nikander says: =09From the security point of view this does not matter so much, =09since the IPsec code is taking care of the protection and =09dropping those packets. Can you clarify on this. In order to allow a peer network, 192.168.2.0/2= 4, to connect to my network via a VPN, I need to pass ESP (fine) and then also 192.168.2.0/24 packets (I'm not so happy about this). Does your statement above imply the IPsec code will somehow filter non-ESP encapsulated packets from 192.168.2.0/24 thus protecting me from spoof attacks even though the firewall would appear to allow it? Thanks, mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301201731.49942.durian>