ipfw and ipsec processing order for outgoing packets wrong
From: Ari Suutari (ari_at_suutari.iki.fi)
Date: 10/30/04
- Previous message: Matthew Jacob: "Re: iSCSI Initiator for FreeBSD 5.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: freebsd-net@freebsd.org Date: Sat, 30 Oct 2004 09:27:50 +0300
Hi,
I noticed that processing order of ipsec and ipfw (pfil_hook) is not
correct for outgoing packets. Currently, ipsec processing is done first,
which makes packets to go through without firewall inspection.
This might be a security problem for someone, but at least it
breaks stateful rule handling.
My test setup is (all freebsd 5.3-rc1 machines):
freebsd laptop <-> ipsec tunnel <->freebsd server
When server sends packet to laptop, it now goes like this:
ip_output -> ipsec -> ip_output -> ipfw -> network
It should go like this:
ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network
I think that this could be fixed by just moving pfil_hook
processing in ip_output before ipsec processing.
Ari S.
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
- Previous message: Matthew Jacob: "Re: iSCSI Initiator for FreeBSD 5.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
