Date: Mon, 14 Jan 2002 14:13:05 +0100 From: Alex Le Heux <alexlh@funk.org> To: Kshitij Gunjikar <kshitijgunjikar@yahoo.com> Cc: freebsd-net@FreeBSD.ORG Subject: Re: Filtering packets received through an ipsec tunnel Message-ID: <20020114131305.GK75815@funk.org> In-Reply-To: <DJEEIBCKNENADJJIMPLFAEGNCDAA.kshitijgunjikar@yahoo.com> References: <DJEEIBCKNENADJJIMPLFAEGNCDAA.kshitijgunjikar@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I don't think this is quite correct. The fact that I have a tunnel means I have some relation with the other network, and that I do not trust the network(s) between us. It does NOT mean that I trust their security setup and want to receive any packet that they send me. So I would certainly hope that I have the option of filtering. Cheers, Alex Le Heux On Mon, Jan 14, 2002 at 05:32:11PM +0530, Kshitij Gunjikar wrote: > > > Hi Rene, > I'm wondering why do you want to filter Secure traffic? > > The very fact that you have a tunnel to a place means you trust that > network. Hence, why filter? > > What are the complex situations you have in mind? > > Regards > Kshitij > > -----Original Message----- > From: owner-freebsd-net@freebsd.org > [mailto:owner-freebsd-net@freebsd.org]On Behalf Of Rene de Vries > Sent: Sunday, January 13, 2002 10:32 PM > To: net@freebsd.org > Subject: Filtering packets received through an ipsec tunnel > > > Hello, > > > This message was already posted to hackers@freebsd.org, but with > > limited success. I'm hoping that someone on net@freebsd.org can give me > > some more information. > > By experimenting with ipsec and looking at the source of "ip_input.c" a > co-worker and I found the following out. > > When a ipsec tunnel packet is received this (protocol 50/51) packet is > passed through ip-filter (& co). After filtering and when it has been > determent that the current host is the destination (tunnel end-point), > this packet is decrypted/verified. The decrypted packet is then pushed > back into the queue that leads to ip_input(...). So far so good.... > > But once in ip_input(...) the filtering code is skipped and we were > wondering why. > > I know that ipsec has some handles to be able to filter on address, > protocol and/or port. But for more complex situations this is not > enough. In these situations it would be nice to be able to use > ip-filter (& co) on traffic from the tunnel (and also for traffic going > into the tunnel). > > I was wondering why this is implemented the way it is. Maybe someone on > this list could shed a light on this? > > Rene > -- > Rene de Vries <rene@tcja.nl> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- "My theory is that the (Internet) industry was started in large part by technologists rather than media people..." - Robin Webster, President, Interactive Advertising Bureau To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020114131305.GK75815>