Date: Fri, 1 Dec 2000 16:25:38 +0200 From: "Ari Suutari" <ari@suutari.iki.fi> To: <freebsd-net@freebsd.org> Subject: Re: filtering ipsec traffic (fwd) Message-ID: <006901c05ba2$93d715b0$0e05a8c0@intranet.syncrontech.com>
next in thread | raw e-mail | index | archive | help
Hi,
>
> So far, just one limitation comes to mind, which is that the packet
> filters cannot discriminate between a naturally non-IPsec packet, and a
> non-IPsec packet which 'was' or 'will be' an IPsec one. I don't think
> this is a big problem though.
>
But what if we are running in IPsec tunnel mode ? For example, I could
use
an IPsec tunnel to connect two 192.168.x.x networks together. In such
setup,
I would allow IPsec packets between tunnel endpoints and packets between
192.168.x.x networks but *only* if they are coming from the tunnel. Last
time I tried
that adding on 'ipfw pass any from 192.168.x.x .....' also allowed
non-ipsec traffic
between these nodes. This is a security hole, which allows someone to
send packets with spoofed source address to your system.
Ari S.
--
Ari Suutari <ari@suutari.iki.fi>
Lemi, Finland
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006901c05ba2$93d715b0$0e05a8c0>