Re: (review request) ipfw and ipsec processing order for outgoingpackets

• Previous message: Björn Grönvall: "Re: Linux compatible rpc.lockd"
• In reply to: Andre Oppermann: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Next in thread: Ari Suutari: "Re: (review request) ipfw and ipsec processing order foroutgoingpackets"
• Reply: Ari Suutari: "Re: (review request) ipfw and ipsec processing order foroutgoingpackets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 9 Dec 2004 16:10:24 +0000 (UTC)
To: Andre Oppermann <andre@freebsd.org>

On Thu, 9 Dec 2004, Andre Oppermann wrote:

Hi,

> With the changes you can chose whether you want to do firewallig before
> ipsec processing or after but not both.

I am unsure if I get that right but that's what the ipsec flag in
ipfw2 is for and it is heavily used to filter ipsec encrypted traffic
and the same traffic, tagged to come from an ipsec tunnel, afterwards.

If your changes won't handle this you will break too many IPSec GWs I
think.

> The enc(4) pseudo device looks
> interesting but I haven't looked at the code. Maybe that makes things
> easier. I'll look into it.

the code is quite simple and helpfull for debugging but not for a lot
more with our current ipsec implementations (at least that had been
the case about a year ago).

-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Björn Grönvall: "Re: Linux compatible rpc.lockd"
• In reply to: Andre Oppermann: "Re: (review request) ipfw and ipsec processing order for outgoingpackets"
• Next in thread: Ari Suutari: "Re: (review request) ipfw and ipsec processing order foroutgoingpackets"
• Reply: Ari Suutari: "Re: (review request) ipfw and ipsec processing order foroutgoingpackets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: (review request) ipfw and ipsec processing order foroutgoingpackets ... Ari Suutari wrote: ... >> I am unsure if I get that right but that's what the ipsec flag in ... >> and the same traffic, tagged to come from an ipsec tunnel, afterwards. ... > originated from ipsec (I use ipsec flag). ... (freebsd-net) Re: (review request) ipfw and ipsec processing order foroutgoingpackets ... >> With the changes you can chose whether you want to do firewallig before ... >> ipsec processing or after but not both. ... > I am unsure if I get that right but that's what the ipsec flag in ... originated from ipsec (I use ipsec flag). ... (freebsd-net) Re: IP SEC filtering issue ... > the IPSEC processing gets done it the kernel, ... we can just filter that out. ... >> If any of you know of a way to get ipsec to filter on syn packets ... (FreeBSD-Security) Re: ipfw and ipsec processing order for outgoing packets wrong ... Currently, ipsec processing is done first, ... > which makes packets to go through without firewall inspection. ... > processing in ip_output before ipsec processing. ... (freebsd-net) Re: IPSec troubles ... 5.2.1 still had broken IPsec. ... from/to entities behind a security gateway. ... This means that ISAKMP ... that it's traffic should 'bypass' IPSec processing? ... (freebsd-net)