Date: Mon, 4 Mar 2002 18:15:16 -0700 From: "Dalin S. Owen" <dowen@pstis.com> To: freebsd-security@freebsd.org Subject: ESP + IPFW Message-ID: <20020305021845.510AE37B41C@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
I have IPsec running between two FreeBSD machines (over an 802.11b link), they are manually keyed (not using an IKE daemon). First question, is it more secure to use an IKE? I mean, doesn't it rotate keys, instead of just using static ones? And if I use an IKE, can those generated keys be sniffed, or are they encrypted with the last key? Now, another issue. I have the following rules on each machine with ipfw (I am only going to show the relevant ones for simplicity): #nat box (I have a seperate interface for the 802.11 AP) ipfw add 10 allow esp from any to any via dc1 #this stops anyone from using my AP ipfw add 20 deny ip from any to any via dc1 #workstation ipfw add 10 allow esp from any to any Now, everything works fine. But I would like to be able to firewall the packets *after* they are translated by IPSec (ESP) with IPFW? How would I do that? They seem to only pass into IPFW once, not twice.. Can you run IPF with IPFW to do it, and in that case which firewalling system gets matched first? Thanks! Dalin Owen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020305021845.510AE37B41C>