Re: (review request) ipfw and ipsec processing order for outgoingpackets

• Previous message: Wilkinson, Alex: "Re: Initial review request for IPv6 Fast Forwarding and IP6STEALTH"
• Next in thread: Ari Suutari: "Re: (review request) ipfw and ipsec processing order foroutgoingpackets"
• Reply: Ari Suutari: "Re: (review request) ipfw and ipsec processing order foroutgoingpackets"
• Reply: Andre Oppermann: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 6 Dec 2004 14:43:15 +0100
To: Andre Oppermann <andre@freebsd.org>

> > > > I have some stuff wrt [Fast]IPSEC and your problem in the works and
> > > > it should become ready around christmas time (loadable [Fast]IPSEC, at
> > > > least for IPv4).
> > >
> > > While this way of 'fixing' the IPSEC problem works it is rather gross
> > > and not very stylish. I prefer not to have this in the tree as makes
> > > maintainance a lot harder.
> >
> > I totaly agree that it is not pretty. I was trying to avoid duplicating
> > the code (so every change would have to be made twice) and making it a
> > function didn't sit right for some reason. Hints/tips for dealing with
> > this kind of situation are welcome, but maybe better off-list.
>
> As things currently are with IPSEC code weaved directly into ip_input()
> and ip_output() there is no better way than what you have proposed.
>
> It will solve it much more nicely. :)

If I understand correctly, either Joost's patch or your nice changes
that-should-appear-before-christmas will achieve what the OpenBSD enc(4)
interface provides [1]. It would be really wonderful. But I may be
missing something because I can see no way in firewall rules to
distinguish between the before IPSec processing hook and the after IPSec
processing one. Could you clarify this for me please ?

Thanks in advance.
Best regards,

-- 
Jeremie Le Hen
jeremie@le-hen.org
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Wilkinson, Alex: "Re: Initial review request for IPv6 Fast Forwarding and IP6STEALTH"
• Next in thread: Ari Suutari: "Re: (review request) ipfw and ipsec processing order foroutgoingpackets"
• Reply: Ari Suutari: "Re: (review request) ipfw and ipsec processing order foroutgoingpackets"
• Reply: Andre Oppermann: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: (review request) ipfw and ipsec processing order foroutgoingpackets ... > missing something because I can see no way in firewall rules to ... > distinguish between the before IPSec processing hook and the after IPSec ... To match packet before ipsec stack, use protocol ... (freebsd-net) Re: IPSEC Policy to secure TS ... Ipsec will also require additional ... firewall rules other than 3389 of course. ... > computers accessing the TS from across the internet. ... >>> policy, try server request policy to see if that will ... (microsoft.public.win2000.security) RE: Editing MS-2000 Firewall Rules ... there have been some issues pointed out with IPSec before on this ... the rules underlying IP Filtering rules to do filtering by Src/Dest ... Subject: Editing MS-2000 Firewall Rules ... > firewall rules in a Windows 2000 Box such as firewall rules in Linux ... (Focus-Microsoft) Re: ipsec and ICF ... qAPLAh wrote: ... how I should set up firewall rules with ipsec? ... Tom ... (microsoft.public.windowsxp.security_admin) Re: Restrict Tcp/IP connetions ... You want to create an ipsec filtering policy. ... a mirrored "block all" ip rule, then an mirrored rule that will permit all ... that firewall rules in that their ordering does not matter, ... (microsoft.public.win2000.security)