From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 10 02:13:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBDED37B401; Thu, 10 Jul 2003 02:13:17 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9343043FA3; Thu, 10 Jul 2003 02:13:16 -0700 (PDT) (envelope-from ck-lists@cksoft.de) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 004EF1FFAE3; Thu, 10 Jul 2003 11:13:15 +0200 (CEST) Received: from majakka.cksoft.de (p508A896C.dip0.t-ipconnect.de [80.138.137.108]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by transport.cksoft.de (Postfix) with ESMTP id 7B5C71FF94D; Thu, 10 Jul 2003 11:13:08 +0200 (CEST) Received: from majakka.cksoft.de (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id 8C40D44B35; Thu, 10 Jul 2003 11:12:50 +0200 (CEST) Received: by majakka.cksoft.de (Postfix, from userid 1000) id C151D44B33; Thu, 10 Jul 2003 11:12:49 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id BF70D44B2E; Thu, 10 Jul 2003 11:12:49 +0200 (CEST) Date: Thu, 10 Jul 2003 11:12:49 +0200 (CEST) From: Christian Kratzer X-X-Sender: ck@majakka.cksoft.de To: Luigi Rizzo In-Reply-To: <20030706234624.A45394@xorpc.icir.org> Message-ID: <20030710110751.L84774@majakka.cksoft.de> References: <200307070113.h671DPeG082710@freefall.freebsd.org> <3F08DABB.2020509@tenebras.com> <20030706234624.A45394@xorpc.icir.org> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on majakka.cksoft.de X-Virus-Scanned: by AMaViS snapshot-20020300 cc: freebsd-ipfw@FreeBSD.org cc: ari.suutari@syncrontech.com Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Christian Kratzer List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2003 09:13:18 -0000 Hi, On Sun, 6 Jul 2003, Luigi Rizzo wrote: > On Sun, Jul 06, 2003 at 07:28:11PM -0700, Michael Sierchio wrote: > > Luigi Rizzo wrote: > > > Synopsis: patches for ipfw2 to support ipsec packet filtering > > > > > > State-Changed-From-To: open->closed > > > State-Changed-By: luigi > > > State-Changed-When: Sun Jul 6 18:13:14 PDT 2003 > > > State-Changed-Why: > > > committed, thanks > > > > > > Question: How does this interact with Sam Leffler's FAST_IPSEC ? > > i believe it works in the way you mention. > > luigi > > > That is, may we instead of > > > > options IPFIREWALL > > options IPSEC > > options IPSEC_ESP > > options IPSEC_FILTERGIF > > > > do this > > options IPFIREWALL > > options FAST_IPSEC > > options IPSEC_FILTERGIF We applied the patch to a RELENG_4 system but can't seem to be able to catch packets based on them having ipsec history or not. We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config. We currently have an ipsec esp tunnel running between two locations without any gif tunnels. IPSEC_FILTERGIF seems to be working fine as packets are now being filtered by our ipfw ruleset. We can't match any packets based on the ipsec or not ipsec flags in ipfw2. I just wanted to ask if somebody knows the obvious before I start digging my head in the code. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here!