Date: Fri, 30 Jul 2004 05:04:49 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "Nickolay A. Kritsky" <nkritsky@star-sw.com> Cc: freebsd-net@freebsd.org Subject: Re: ipsec packet filtering Message-ID: <Pine.BSF.4.53.0407300457460.41939@e0-0.zab2.int.zabbadoz.net> In-Reply-To: <652582171.20040730075831@star-sw.com> References: <652582171.20040730075831@star-sw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 30 Jul 2004, Nickolay A. Kritsky wrote: > Hello freebsd-net, > > From searching the archives this looks like an old issue, but I > still can't understand something. > AFAIU, now the ipfw + ipsec interoperation looks like this: > input: encrypted packet comes to system. It is not checked against > ipfw rules. Rules are applied to decrypted payload packet. > output: packet is going to leave the system encrypted by ipsec. The > packet itself is not checked by firewall, but, after encryption, the > resulting ESP packet is run against ipfw rules. > I am sorry, but I still cannot understand the reasons for such > strange, ugly behaviour. Does anybody knows the reasons for that and > what chances are that we ever get fully-functional ipfw code > checking _every_ packet on the stack. I do not understand what your are trying to do but filitering ipsec encrypted packets in ipfw is available for quite some time now. I can and do check packets that: - come in encrypted and leave unencrypted - come in encrypted and leave encrypted - come in encrypted and leave re-encrypted - come in unencrypted and go out encrypted - come in encrypted and do not leave the system please see the ipsec option in ipfw manpage if that is what you are searching for. What cannot be done with FreeBSD is ipsec NAT traversal. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.53.0407300457460.41939>