Re: ipsec packet filtering

• Previous message: Mitch (bitblock): "RE: ipsec packet filtering"
• In reply to: Nickolay A. Kritsky: "ipsec packet filtering"
• Next in thread: Nickolay A. Kritsky: "Re[2]: ipsec packet filtering"
• Reply: Nickolay A. Kritsky: "Re[2]: ipsec packet filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 30 Jul 2004 05:04:49 +0000 (UTC)
To: "Nickolay A. Kritsky" <nkritsky@star-sw.com>

On Fri, 30 Jul 2004, Nickolay A. Kritsky wrote:

> Hello freebsd-net,
>
> From searching the archives this looks like an old issue, but I
> still can't understand something.
> AFAIU, now the ipfw + ipsec interoperation looks like this:
> input: encrypted packet comes to system. It is not checked against
> ipfw rules. Rules are applied to decrypted payload packet.
> output: packet is going to leave the system encrypted by ipsec. The
> packet itself is not checked by firewall, but, after encryption, the
> resulting ESP packet is run against ipfw rules.
> I am sorry, but I still cannot understand the reasons for such
> strange, ugly behaviour. Does anybody knows the reasons for that and
> what chances are that we ever get fully-functional ipfw code
> checking _every_ packet on the stack.

I do not understand what your are trying to do but filitering ipsec
encrypted packets in ipfw is available for quite some time now.
I can and do check packets that:
- come in encrypted and leave unencrypted
- come in encrypted and leave encrypted
- come in encrypted and leave re-encrypted
- come in unencrypted and go out encrypted
- come in encrypted and do not leave the system

please see the ipsec option in ipfw manpage if that is what you are
searching for.

What cannot be done with FreeBSD is ipsec NAT traversal.

-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Mitch (bitblock): "RE: ipsec packet filtering"
• In reply to: Nickolay A. Kritsky: "ipsec packet filtering"
• Next in thread: Nickolay A. Kritsky: "Re[2]: ipsec packet filtering"
• Reply: Nickolay A. Kritsky: "Re[2]: ipsec packet filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: best encryption + mode for network packets ? ... > I don't understand much about all the different encryption modes... ... The IPSEC design deals with many issues ... that the chaining modes typically require an unpredictable but non-secret ... start of the packet they've just received, ... (sci.crypt) Re: Wireless router safety and vulnerabilities ... | Linksys routers have a two part flash. ... You can usually ping the router ... The direct packet arrives normally. ... | the MAC addresses and encryption keys are encrypted *BEFORE* the key ... (alt.internet.wireless) IPSEC/NAT/Gateway Query ... encryption system rather than the rather disappointing WEP. ... The connection between x.y.z.11 and x.y.z.254 is there the IPSec takes ... The issue presents itself as the packet, from an rfc 1918 address, goes ... The packet then goes on, gets NATed, ... (freebsd-hackers) IPSEC/NAT/Gateway Query ... encryption system rather than the rather disappointing WEP. ... The connection between x.y.z.11 and x.y.z.254 is there the IPSec takes ... The issue presents itself as the packet, from an rfc 1918 address, goes ... The packet then goes on, gets NATed, ... (freebsd-net) IPSec/NAT/Gateway Question ... encryption system rather than the rather disappointing WEP. ... The connection between x.y.z.11 and x.y.z.254 is there the IPSec takes ... The issue presents itself as the packet, from an rfc 1918 address, goes ... The packet then goes on, gets NATed, ... (freebsd-questions)