From owner-freebsd-security  Tue Mar  5  1:44:16 2002
Delivered-To: freebsd-security@freebsd.org
Received: from fe040.worldonline.dk (fe040.worldonline.dk [212.54.64.205])
	by hub.freebsd.org (Postfix) with SMTP id 67EC037B41A
	for <freebsd-security@FreeBSD.ORG>; Tue,  5 Mar 2002 01:44:08 -0800 (PST)
Received: (qmail 29652 invoked by uid 0); 5 Mar 2002 09:43:13 -0000
Received: from 213.237.14.128.adsl.ho.worldonline.dk (HELO dpws) (213.237.14.128)
  by fe040.worldonline.dk with SMTP; 5 Mar 2002 09:43:13 -0000
Message-ID: <002301c1c42a$298a13f0$0301a8c0@dpws>
From: "Dennis Pedersen" <mlists@daydreamer.dk>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: <freebsd-security@FreeBSD.ORG>
References: <20020305021845.510AE37B41C@hub.freebsd.org> <20020304212850.M87533@blossom.cjclark.org>
Subject: Re: ESP + IPFW
Date: Tue, 5 Mar 2002 10:40:12 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

----- Original Message -----
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
Sent: Tuesday, March 05, 2002 6:28 AM
Subject: Re: ESP + IPFW

> > Now, everything works fine.  But I would like to be able to firewall the
> > packets *after* they are translated by IPSec (ESP)  with IPFW?  How
would I
> > do that?  They seem to only pass into IPFW once, not twice..  Can you
run IPF
> > with IPFW to do it, and in that case which firewalling system gets
matched
> > first?
>
> Yep. They go through ipfw(8) once. If you run ipf(8), they go through
> ipf(8) then ipfw(8)... once.

I'm currently running natd,racoon (with gif) and ipfw on the same box. I
can't seem to figure what process to packets go throug right before ipfw (as
in : i don't now what ip number i have to allow the packets from - is it the
peer gif ip, peer wan ip , peer lan , gif?)
Anyone got a hint?

Regards,
Dennis


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message