From owner-freebsd-net@FreeBSD.ORG Fri Jul 30 05:05:22 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA24916A4CE for ; Fri, 30 Jul 2004 05:05:22 +0000 (GMT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B1FE43D5D for ; Fri, 30 Jul 2004 05:05:22 +0000 (GMT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id AC74E1FFDD4; Fri, 30 Jul 2004 07:05:07 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id B0B201FF9A6; Fri, 30 Jul 2004 07:05:05 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 28C7815389; Fri, 30 Jul 2004 05:04:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 1DBB915384; Fri, 30 Jul 2004 05:04:50 +0000 (UTC) Date: Fri, 30 Jul 2004 05:04:49 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: "Nickolay A. Kritsky" In-Reply-To: <652582171.20040730075831@star-sw.com> Message-ID: References: <652582171.20040730075831@star-sw.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-net@freebsd.org Subject: Re: ipsec packet filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jul 2004 05:05:22 -0000 On Fri, 30 Jul 2004, Nickolay A. Kritsky wrote: > Hello freebsd-net, > > From searching the archives this looks like an old issue, but I > still can't understand something. > AFAIU, now the ipfw + ipsec interoperation looks like this: > input: encrypted packet comes to system. It is not checked against > ipfw rules. Rules are applied to decrypted payload packet. > output: packet is going to leave the system encrypted by ipsec. The > packet itself is not checked by firewall, but, after encryption, the > resulting ESP packet is run against ipfw rules. > I am sorry, but I still cannot understand the reasons for such > strange, ugly behaviour. Does anybody knows the reasons for that and > what chances are that we ever get fully-functional ipfw code > checking _every_ packet on the stack. I do not understand what your are trying to do but filitering ipsec encrypted packets in ipfw is available for quite some time now. I can and do check packets that: - come in encrypted and leave unencrypted - come in encrypted and leave encrypted - come in encrypted and leave re-encrypted - come in unencrypted and go out encrypted - come in encrypted and do not leave the system please see the ipsec option in ipfw manpage if that is what you are searching for. What cannot be done with FreeBSD is ipsec NAT traversal. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT