Date: Fri, 23 Jun 2006 19:38:01 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Max Laier <max@love2party.net> Cc: freebsd-doc@freebsd.org Subject: Re: kern/97057: IPSEC + pf needs note? Message-ID: <20060623163801.GA54335@gothmog.pc> In-Reply-To: <200606020950.14480.max@love2party.net> References: <200606020950.14480.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-06-02 09:50, Max Laier <max@love2party.net> wrote: > Hi, > anyone up for taking responsibility for this? I don't think we > should change GENERIC for it, but it should clearly be > documented somewhere somehow. > > Thanks. Copying the text of the report here too: # Message-Id: <200605092157.k49LvPN1061507@www.freebsd.org> # Date: Tue, 9 May 2006 21:57:25 GMT # From: Dmitry Andrianov <freebsd@dima.spb.ru> # # When IPSEC is configured according to handbook # ( http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html ) # but pf is us ed instead of ipfw, users experience very strange # TCP connection stalls. # # In addition to me experiencing that problem # ( http://lists.freebsd.org/pipermail/freebsd-pf/2006-May/002129.html ) # # I believe followi ng reports also refer the same problem I had: # http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008812.html # http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008745.html # # The problem is caused by the fact PF can not properly track state # because it does not see packets coming from the tunnel to gif # inte rface. The problem is resolved by rebuilding kernel with # IPSEC_FILTERGIF. And the real challenge is to find that solution # because al l the references to that option say that it is needed # if you want filtering on gif. I do NOT want filtering on gif, I # want filtering on other interfaces but it does not work either. # # In my opinion, IPSEC_FILTERGIF option should be on by default. If # it is absolutely unacceptable, documentation should be fixed to # re flect "side effect" of enabling IPSEC/FAST_IPSEC without # IPSEC_FILTERGIF Since the problem described can be a side-effect of the IPSEC setup the Handbook describes, I guess we should fix the Handbook to mention the IPSEC_FILTERGIF option. Does the following look ok? # giorgos@gothmog:/home/giorgos/ws/doc/en_US.ISO8859-1/books/handbook/security$ svk log -v -r 8:9 # ---------------------------------------------------------------------- # r9: giorgos | 2006-06-23 19:36:51 +0300 # Changed paths: # M /trunk/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml # # Mention that IPSEC_FILTERGIF is needed to successfully use some of our # firewalls and IPSEC at the same time. # ---------------------------------------------------------------------- # giorgos@gothmog:/home/giorgos/ws/doc/en_US.ISO8859-1/books/handbook/security$ svk diff -v -r 8:9 # === chapter.sgml # ================================================================== # --- chapter.sgml (revision 8) # +++ chapter.sgml (revision 9) # @@ -3117,7 +3117,17 @@ # <quote>Fast IPsec</quote> subsystem in lieu of the KAME # implementation of IPsec. Consult the &man.fast.ipsec.4; # manual page for more information.</para> # + </note> # # + <note> # + <para>To let firewalls properly track state for &man.gif.4; # + tunnels too, you have to enable the # + <option>IPSEC_FILTERGIF</option> in your kernel # + configuration:</para> # + # + <screen> # +options IPSEC_FILTERGIF #filter ipsec packets from a tunnel # + </screen> # </note> # # <indexterm> # giorgos@gothmog:/home/giorgos/ws/doc/en_US.ISO8859-1/books/handbook/security$
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060623163801.GA54335>