From owner-freebsd-security Wed Apr 11 2: 0:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id A11CB37B422 for ; Wed, 11 Apr 2001 02:00:38 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14nGUP-0004MN-00 for security@freebsd.org; Wed, 11 Apr 2001 10:00:37 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3B90aa63545 for security@freebsd.org; Wed, 11 Apr 2001 10:00:36 +0100 (BST) (envelope-from rasputin) Date: Wed, 11 Apr 2001 10:00:36 +0100 From: Rasputin To: security@freebsd.org Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <20010411100036.B63302@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <20010410181407.A1011@linnet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010410181407.A1011@linnet.org>; from B.Candler@pobox.com on Tue, Apr 10, 2001 at 06:14:07PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Brian Candler [010410 18:15]: > Is there any documentation on how ipfw, natd and IPSEC interact with each > other? In particular, > - what is the order of processing of inbound and outbound packets? > - when packets are re-injected by natd, where in the whole system are they > re-injected? > - do packets reinjected by natd still match 'in via ' or > 'out via '? (OK, I could determine this one experimentally, > but I'd still like to see it documented :-) > > I see that by default FreeBSD puts its natd divert rule right at the very > top of the ruleset, but I have found that this stops IPSEC processing > working. I can make it work by putting natd lower down: e.g. > > add 01000 permit ip from 10.0.0.0/8 to 10.0.0.0/8 # private addrs > add 02000 divert 8668 ip from any to any via xl0 # external i/face Does anybody know if ipfilter has similar problems with IPSec? I saw a thread in the NetBSD mail archives that indicated this, but it was around a year old. And if anyone knows where I can get free IPSec clients for Mac (OS9.x) I'll send them a packet of chocolate HobNobs. Chocolate- Mmm.... (URL would be good. There's supposed to be one somewhere in the rat's nest that is http://www.nai.com, but a friend of mine went looking last week and we never saw him again.) -- Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message