Date: Sat, 10 Dec 2005 14:01:48 +0300 (MSK) From: Yuriy Tsibizov <Yuriy.Tsibizov@gfk.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Yuriy Tsibizov <Yuriy.Tsibizov@gfk.ru> Subject: kern/90181: IPSEC_FILTERGIF documentation is incomplete Message-ID: <200512101101.jBAB1mPB001098@free.home.local> Resent-Message-ID: <200512101110.jBABA346073325@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 90181 >Category: kern >Synopsis: IPSEC_FILTERGIF documentation is incomplete >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 10 11:10:03 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Yuriy Tsibizov >Release: FreeBSD 7.0-CURRENT i386 >Organization: >Environment: System: FreeBSD free.home.local 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Sat Dec 10 12:16:33 MSK 2005 chibis@free.home.local:/usr/obj/usr/src/sys/FREE-IPSEC i386 >Description: /usr/src/sys/conf/NOTES does not document all consequences of adding IPSEC_FILTERGIF to kernel configuration. It decribes that this option only affects decrypted packets coming from IPSec-encrypted gif tunnel. In reality it will also allow filtering of all decryped IPSec data (like transport mode ESP tunnels). ipfw "ipsec" option also work for all decrypted packets, if this kernel option is enabled. >How-To-Repeat: I can't check it on real network, only on loopback (lo0). (kernel configuration: options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_FILTERGIF #filter ipsec packets from a tunnel options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity ) 1. Add IPSEC configuration for lo0 interface: setkey flush; setkey add 127.0.0.1 127.0.0.1 esp 0x1001 -E des-cbc 0x0000000000000001; setkey 127.0.0.1/32 127.0.0.1/32 any -P out ipsec esp/tunnel/127.0.0.1-127.0.0.1/require; setkey 127.0.0.1/32 127.0.0.1/32 any -P in ipsec esp/tunnel/127.0.0.1-127.0.0.1/require; 2. Add IPFW configuration: ipfw flush ipfw add allow log logamount 100 esp from any to any ipfw add deny log logamount 100 ip from any to any 3. Ping localhost 4. Look into security log, you will get Dec 10 12:25:15 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 out via lo0 Dec 10 12:25:15 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 in via lo0 Dec 10 12:25:15 free kernel: ipfw: 200 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0 5. Change IPFW configuration: ipfw flush ipfw add allow log logamount 100 esp from any to any ipfw add allow log logamount 100 ip from any to any ipsec ipfw add deny log logamount 100 ip from any to any 6. Ping localhost 7. You will get Dec 10 12:32:36 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 out via lo0 Dec 10 12:32:36 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 in via lo0 Dec 10 12:32:36 free kernel: ipfw: 200 Accept ICMP:0.0 127.0.0.1 127.0.0.1 in via lo0 in your seurity log. >Fix: Update NOTES: # # Set IPSEC_FILTERGIF to force packets coming from IPSec # to be processed by any configured packet filtering (ipfw, ipf). # The default is that these packets are _not_ processed; # they are assumed trusted. # # IPSEC history is preserved for such packets, and can be filtered # using ipfw(8)'s 'ipsec' keyword, when this option is enabled. # >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512101101.jBAB1mPB001098>