Date: Tue, 19 Nov 2002 16:08:26 +0100 From: Guido van Rooij <guido@gvr.org> To: David Kelly <dkelly@HiWAAY.net> Cc: Scott Ullrich <sullrich@CRE8.COM>, 'Archie Cobbs' <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <20021119150826.GA42097@gvr.gvr.org> In-Reply-To: <200211190754.29355.dkelly@HiWAAY.net> References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C35@exchange.corp.cre8.com> <20021119110336.GA12956@gvr.gvr.org> <200211190754.29355.dkelly@HiWAAY.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 19, 2002 at 07:54:29AM -0600, David Kelly wrote: > > The problem is that while ESP packets arrive to be processed by > IPsec just fine thru my ipfw rules, when the packets are de-encrypted > and re-inserted into the kernel they appear to ipfw to be coming from > my external interface (the one they arrived on via ESP). tcpdump can't > find them (decrypted) on the external interface. THe reason tcpdump cannot find them on the external interface is because they are coming out of your gif interface. In case ipfw thinks they are coming from your physical external interface, ipfw has a bug that needs to be fixed. > The issue I have with this is that I have/had antispoofing rules > forbiding 192.168.0.0/16 via external NIC but because my remote net > which is being tunneled is in that range I have had to open a rule > on the external interface to allow it. This rule allows external > internet and my VPN traffic. One end of the tunnel is in 10.0.0.0/24 > and the other end is in 192.168.100.0/24. > > I don't mind these packets being run thru ipfw twice. Its just that > they are unique in their own way for how they got here but are not > being identified with a unique interface. If they were appearing on > gif0 there wouldn't be an issue. > > Suspect this is related to ipfw changes recently. Should we add the > ipfw list to the discussion? > > Another way of saying it, "had to add rule 550 for my tunnel to work:" > > 00100 6382 2963406 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 deny ip from 10.0.0.0/24 to any in recv fxp1 > 00500 0 0 deny ip from 24.214.110.0/24 to any in recv fxp0 > 00550 29238 3166400 allow ip from 192.168.100.0/24 to 10.0.0.0/24 in recv fxp1 > 00600 0 0 deny ip from any to 10.0.0.0/8 via fxp1 > 00700 0 0 deny ip from any to 172.16.0.0/12 via fxp1 > 00800 0 0 deny log ip from any to 192.168.0.0/16 via fxp1 > 00900 0 0 deny ip from any to 0.0.0.0/8 via fxp1 > 01000 0 0 deny ip from any to 169.254.0.0/16 via fxp1 > 01100 0 0 deny ip from any to 192.0.2.0/24 via fxp1 > 01200 0 0 deny ip from any to 224.0.0.0/4 via fxp1 > 01300 13738 4506273 deny ip from any to 240.0.0.0/4 via fxp1 > 01400 787470 364186135 divert 8668 ip from any to any via fxp1 > [...] I dont see any rules for your gif interface? -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021119150826.GA42097>