From owner-freebsd-doc@FreeBSD.ORG Fri Jun 23 16:38:24 2006 Return-Path: X-Original-To: freebsd-doc@freebsd.org Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A9A916A492 for ; Fri, 23 Jun 2006 16:38:24 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66FAA43D53 for ; Fri, 23 Jun 2006 16:38:22 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (host5.bedc.ondsl.gr [62.103.39.229]) (authenticated bits=128) by igloo.linux.gr (8.13.7/8.13.7/Debian-1) with ESMTP id k5NGc8qM000860 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 23 Jun 2006 19:38:10 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.7/8.13.7) with ESMTP id k5NGc2AM078003; Fri, 23 Jun 2006 19:38:02 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.7/8.13.7/Submit) id k5NGc10Z077990; Fri, 23 Jun 2006 19:38:01 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Fri, 23 Jun 2006 19:38:01 +0300 From: Giorgos Keramidas To: Max Laier Message-ID: <20060623163801.GA54335@gothmog.pc> References: <200606020950.14480.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200606020950.14480.max@love2party.net> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.416, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.98, BAYES_00 -2.60) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-doc@freebsd.org Subject: Re: kern/97057: IPSEC + pf needs note? X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2006 16:38:24 -0000 On 2006-06-02 09:50, Max Laier wrote: > Hi, > anyone up for taking responsibility for this? I don't think we > should change GENERIC for it, but it should clearly be > documented somewhere somehow. > > Thanks. Copying the text of the report here too: # Message-Id: <200605092157.k49LvPN1061507@www.freebsd.org> # Date: Tue, 9 May 2006 21:57:25 GMT # From: Dmitry Andrianov # # When IPSEC is configured according to handbook # ( http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html ) # but pf is us ed instead of ipfw, users experience very strange # TCP connection stalls. # # In addition to me experiencing that problem # ( http://lists.freebsd.org/pipermail/freebsd-pf/2006-May/002129.html ) # # I believe followi ng reports also refer the same problem I had: # http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008812.html # http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008745.html # # The problem is caused by the fact PF can not properly track state # because it does not see packets coming from the tunnel to gif # inte rface. The problem is resolved by rebuilding kernel with # IPSEC_FILTERGIF. And the real challenge is to find that solution # because al l the references to that option say that it is needed # if you want filtering on gif. I do NOT want filtering on gif, I # want filtering on other interfaces but it does not work either. # # In my opinion, IPSEC_FILTERGIF option should be on by default. If # it is absolutely unacceptable, documentation should be fixed to # re flect "side effect" of enabling IPSEC/FAST_IPSEC without # IPSEC_FILTERGIF Since the problem described can be a side-effect of the IPSEC setup the Handbook describes, I guess we should fix the Handbook to mention the IPSEC_FILTERGIF option. Does the following look ok? # giorgos@gothmog:/home/giorgos/ws/doc/en_US.ISO8859-1/books/handbook/security$ svk log -v -r 8:9 # ---------------------------------------------------------------------- # r9: giorgos | 2006-06-23 19:36:51 +0300 # Changed paths: # M /trunk/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml # # Mention that IPSEC_FILTERGIF is needed to successfully use some of our # firewalls and IPSEC at the same time. # ---------------------------------------------------------------------- # giorgos@gothmog:/home/giorgos/ws/doc/en_US.ISO8859-1/books/handbook/security$ svk diff -v -r 8:9 # === chapter.sgml # ================================================================== # --- chapter.sgml (revision 8) # +++ chapter.sgml (revision 9) # @@ -3117,7 +3117,17 @@ # Fast IPsec subsystem in lieu of the KAME # implementation of IPsec. Consult the &man.fast.ipsec.4; # manual page for more information. # + # # + # + To let firewalls properly track state for &man.gif.4; # + tunnels too, you have to enable the # + in your kernel # + configuration: # + # + # +options IPSEC_FILTERGIF #filter ipsec packets from a tunnel # + # # # # giorgos@gothmog:/home/giorgos/ws/doc/en_US.ISO8859-1/books/handbook/security$