Date: Wed, 6 Mar 2002 14:52:18 +0300 (MSK) From: Alexey Zakirov <frank@agava.com> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: "Dalin S. Owen" <dowen@pstis.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: ESP + IPFW Message-ID: <Pine.BSF.4.32.0203061446500.39214-100000@hellbell.domain> In-Reply-To: <20020304212850.M87533@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 4 Mar 2002, Crist J. Clark wrote: > > #workstation > > ipfw add 10 allow esp from any to any > > > > Now, everything works fine. But I would like to be able to firewall the > > packets *after* they are translated by IPSec (ESP) with IPFW? How would I > > do that? They seem to only pass into IPFW once, not twice.. Can you run IPF > > with IPFW to do it, and in that case which firewalling system gets matched > > first? > > Yep. They go through ipfw(8) once. If you run ipf(8), they go through > ipf(8) then ipfw(8)... once. You _can't_ fliter packets "*after* they are translated by IPSec". It's because of the change in ip_input.c which happened about summer. This is a patch that I have to apply to the most of my natd/gateways machines to get NAT work: ======================================================================= --- ip_input.c.orig Thu Jan 17 20:32:21 2002 +++ ip_input.c Thu Jan 17 20:32:58 2002 @@ -391,10 +391,12 @@ m_adj(m, ip->ip_len - m->m_pkthdr.len); } +/* XXX breaks tunnels/nat/etc #ifdef IPSEC if (ipsec_gethist(m, NULL)) goto pass; #endif +*/ /* * IpHack's section. ======================================================================= *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.32.0203061446500.39214-100000>