Date: Wed, 6 Mar 2002 14:52:18 +0300 (MSK) From: Alexey Zakirov <frank@agava.com> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: "Dalin S. Owen" <dowen@pstis.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: ESP + IPFW Message-ID: <Pine.BSF.4.32.0203061446500.39214-100000@hellbell.domain> In-Reply-To: <20020304212850.M87533@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 4 Mar 2002, Crist J. Clark wrote:
> > #workstation
> > ipfw add 10 allow esp from any to any
> >
> > Now, everything works fine. But I would like to be able to firewall the
> > packets *after* they are translated by IPSec (ESP) with IPFW? How would I
> > do that? They seem to only pass into IPFW once, not twice.. Can you run IPF
> > with IPFW to do it, and in that case which firewalling system gets matched
> > first?
>
> Yep. They go through ipfw(8) once. If you run ipf(8), they go through
> ipf(8) then ipfw(8)... once.
You _can't_ fliter packets "*after* they are translated by IPSec". It's
because of the change in ip_input.c which happened about summer. This is a
patch that I have to apply to the most of my natd/gateways machines to get
NAT work:
=======================================================================
--- ip_input.c.orig Thu Jan 17 20:32:21 2002
+++ ip_input.c Thu Jan 17 20:32:58 2002
@@ -391,10 +391,12 @@
m_adj(m, ip->ip_len - m->m_pkthdr.len);
}
+/* XXX breaks tunnels/nat/etc
#ifdef IPSEC
if (ipsec_gethist(m, NULL))
goto pass;
#endif
+*/
/*
* IpHack's section.
=======================================================================
*** WBR, Alexey Zakirov (frank@agava.com)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.32.0203061446500.39214-100000>