Date: Thu, 19 Jun 2003 13:31:40 +0300 From: Ari Suutari <ari.suutari@syncrontech.com> To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: patches for ipsec packet filtering support in ipfw2 Message-ID: <200306191331.40421.ari.suutari@syncrontech.com>
next in thread | raw e-mail | index | archive | help
--Boundary-00=_MEZ8+8qZ+4wqeHL
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hi,
Here are two small patches (done on 5.1-RELEASE, but should
be ok for -current also) which add new "ipsec" flag to ipfw2.
Rules with this flag match only packets that have
ipsec history (ie. came from ipsec processing). Rules with
"not ipsec" match only non-ipsec packets. Without
the new keyword, both types of packets match (as before).
To try these out, apply the patches, and compile
kernel with
options IPFIREWALL
options IPSEC
options IPSEC_ESP
options IPSEC_FILTERGIF
Also, recompile /usr/src/sbin/ipfw and install it.
With the new flag it is possible easily to
stop spoofing from RFC1918 networks, but
allow traffic from those nets if it is coming
from IPsec:
ipfw add deny all from 192.168.0.0/16 to any via ${oif} not ipsec
ipfw add pass tcp from 192.168.x.y/24 to a.b.c.d 23 ipsec setup
This example drops spoofed packets, but allows
telnet connection *if* the packet comes via ipsec.
My testing has been done on 5.1-RELEASE machine.
It seems to work, and it didn't crash anything.
I hope that this flag is useful to others too, maybe
someone could get it committed into -current ?
Ari S.
Lappeenranta, Finland
--Boundary-00=_MEZ8+8qZ+4wqeHL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306191331.40421.ari.suutari>