Date: Tue, 28 Nov 2000 23:49:09 -0500 (EST) From: Dominick LaTrappe <seraf@2600.COM> To: freebsd-security@freebsd.org Subject: filtering ipsec traffic Message-ID: <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com>
next in thread | raw e-mail | index | archive | help
It seems that, on the way in, ipfilter on FreeBSD gets packets before KAME does, and on the way out, after. This limits ipfilter to inspecting traffic from IPsec peers on on layer 3 only. Since I see no packet-filtering mechanism in KAME itself, this presents a severe limitation, namely that I must trust my IPsec peers enough for their traffic to bypass any layer-4 filters. Is there some way to give ipfilter two passes, pre-KAME and post-KAME? The even better fix, I suppose, would be to have 4 ipfilter rulesets instead of 2 -- pre-KAME in, pre-KAME out, post-KAME in, post-KAME out. In the mean time, I'm using tcpwrappers as a last-line-of-defense where I can, but it's not enough. ||| Dominick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.4.21.0011282320230.16898-100000>