Re: (review request) ipfw and ipsec processing order foroutgoingpackets
From: Ari Suutari (ari_at_suutari.iki.fi)
Date: 12/07/04
- Previous message: Valentin Nechayev: "Re: FreeBSD kernel pppd - mppe/mschapv1/2/radius support"
- In reply to: Jeremie Le Hen: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
- Next in thread: Andre Oppermann: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: "Jeremie Le Hen" <jeremie@le-hen.org> Date: Tue, 7 Dec 2004 10:43:00 +0200
Hi,
> But I may be
> missing something because I can see no way in firewall rules to
> distinguish between the before IPSec processing hook and the after IPSec
> processing one. Could you clarify this for me please ?
There is a keyword "ipsec" in ipfw2, which matches if packet has emerged
from ipsec tunnel. To match packet before ipsec stack, use protocol
esp/ah
in ipfw rule. To match packet after ipsec stack, use tcp/udp/ip as
protocol
and "ipsec" keyword.
The problem is that this doesn't work for outgoing packets, which breaks
at least statefull rules.
Ari S.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Valentin Nechayev: "Re: FreeBSD kernel pppd - mppe/mschapv1/2/radius support"
- In reply to: Jeremie Le Hen: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
- Next in thread: Andre Oppermann: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
