Re: (review request) ipfw and ipsec processing order for outgoingpackets

• Previous message: B: "Re: Initial review request for IPv6 Fast Forwarding and IP6STEALTH"
• In reply to: Jeremie Le Hen: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Next in thread: Bjoern A. Zeeb: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Reply: Bjoern A. Zeeb: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 09 Dec 2004 14:46:17 +0100
To: Jeremie Le Hen <jeremie@le-hen.org>

Jeremie Le Hen wrote:
>
> > > > > I have some stuff wrt [Fast]IPSEC and your problem in the works and
> > > > > it should become ready around christmas time (loadable [Fast]IPSEC, at
> > > > > least for IPv4).
> > > >
> > > > While this way of 'fixing' the IPSEC problem works it is rather gross
> > > > and not very stylish. I prefer not to have this in the tree as makes
> > > > maintainance a lot harder.
> > >
> > > I totaly agree that it is not pretty. I was trying to avoid duplicating
> > > the code (so every change would have to be made twice) and making it a
> > > function didn't sit right for some reason. Hints/tips for dealing with
> > > this kind of situation are welcome, but maybe better off-list.
> >
> > As things currently are with IPSEC code weaved directly into ip_input()
> > and ip_output() there is no better way than what you have proposed.
> >
> > It will solve it much more nicely. :)
>
> If I understand correctly, either Joost's patch or your nice changes
> that-should-appear-before-christmas will achieve what the OpenBSD enc(4)
> interface provides [1]. It would be really wonderful. But I may be
> missing something because I can see no way in firewall rules to
> distinguish between the before IPSec processing hook and the after IPSec
> processing one. Could you clarify this for me please ?

With the changes you can chose whether you want to do firewallig before
ipsec processing or after but not both. The enc(4) pseudo device looks
interesting but I haven't looked at the code. Maybe that makes things
easier. I'll look into it.

-- 
Andre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: B: "Re: Initial review request for IPv6 Fast Forwarding and IP6STEALTH"
• In reply to: Jeremie Le Hen: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Next in thread: Bjoern A. Zeeb: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Reply: Bjoern A. Zeeb: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Internal IP exposed ... Missing A Patch? ... What is wrong with my firewall? ... iptables -P INPUT DROP ... (comp.os.linux.networking) RE: Purging Blaster.worm ... hits to go, "Man, I thought our firewall would stop it." ... will just keep changing ports ... to freaking patch the systems. ... store/shop, and yes, the Symantec removal tool works great. ... (Security-Basics) WORM virus shutting down my computer ... click the little box to enable your Firewall. ... you can download the Patch. ... Then go on the internet: ... Click on download on the right- takes about five to six ... (microsoft.public.windowsxp.security_admin) Re: net start server SP2 ... It looks like there's a missing dependency for 'HNetcfg.dll' if Windows ... Firewall isn't included. ... (microsoft.public.windowsxp.embedded) Re: [fw-wiz] terminal services ... >> pointing out the danger of opening extra holes in your firewall. ... >that a VPN is a hole in the firewall, albeit generally a mitigated hole, ... >people didn't patch their machines. ... (Firewall-Wizards)