Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Nov 2000 02:28:22 -0800 (PST)
From:      "f.johan.beisser" <jan@caustic.org>
To:        itojun@iijlab.net
Cc:        Dominick LaTrappe <seraf@2600.COM>, freebsd-net@FreeBSD.ORG, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Gerhard Sittig <Gerhard.Sittig@gmx.net>
Subject:   Re: filtering ipsec traffic (fwd)
Message-ID:  <Pine.BSF.4.21.0011300211200.9930-100000@pogo.caustic.org>
In-Reply-To: <20718.975566409@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 30 Nov 2000 itojun@iijlab.net wrote:

> 	there are couple of ways to make it better:
> 	- enhance packet filters so that we can differentiate between multiple
> 	  filtering points (make it possible to specify "this filter should
> 	  be applied here"). 

couldn't you just add a set of commands in IPFW to recognise IPSec
packets?

this may not work, right off the bat, since the packet has passed through
the filterset already, but, i don't see why it couldn't be recognised
right off hand..

	1. the IP packet comes in.
	2. it passes through filterset A (NAT, etc)
	3. the Packet either matches IPSec (AH/ESP flags are set)
	4. if it matches, it is forwarded to filterset B.
	5. packet now is set through alternate ruleset.

this does slow things down a bit, but it allows for some more fine grained
filtering.

within IPFilter you can set match rules, i don't know how difficult it
would be to set them to recognise IPSec packets.

	If you match this flag, then jump to rule set XXXX.


i think that's about the best solution i can think of, at 2:30 in the
morning..

tear it apart.




-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan@caustic.org
   "Never laugh at someone until you've walked a mile in their
         shoes. Then laugh. For you are a mile away, and
                      you have their shoes."




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011300211200.9930-100000>