Date: Tue, 15 Jan 2002 14:22:17 +0200 From: Ari Suutari <ari.suutari@syncrontech.com> To: Alex Le Heux <alexlh@funk.org> Cc: Rene de Vries <rene@canyon.xs4all.nl>, Kshitij Gunjikar <kshitijgunjikar@yahoo.com>, net@FreeBSD.ORG Subject: Re: Filtering packets received through an ipsec tunnel Message-ID: <200201151213.g0FCDbw92015@guinness.syncrontech.com> In-Reply-To: <20020115121821.GU75815@funk.org> References: <E4E6F464-0917-11D6-AC08-00039357FA7A@canyon.xs4all.nl> <200201150733.g0F7Xww91320@guinness.syncrontech.com> <20020115121821.GU75815@funk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Tuesday 15 January 2002 14:18, Alex Le Heux wrote: > > > Maybe one could remove this, add 'ipsec' flag to ipfw > > (which would use the above ipsec_gethist to match it) > > so the syntax would be something like this: > > > > ipfw add pass tcp from a to b ipsec setup # matches only packets that came > > via ipsec stack > > ipfw add pass 50 from a to b # matches packets that didn't come via ipsec > > [snip] > > This looks like it would work for most situations. > > What one would not be able to do this way is prevent spoofing. In an ideal > world I would also want to filter packets that come from the wrong tunnel. But doesn't ipsec stack already take care of this ? I think (hope) that is doesn't process the packet if it is coming from wrong tunnel because the packet does not match the policy. Ari S. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201151213.g0FCDbw92015>