Re: (review request) ipfw and ipsec processing order foroutgoingpackets

From: Andre Oppermann (andre_at_freebsd.org)
Date: 12/10/04

  • Next message: Kevin Day: "Re: Very strange kevent problem possibly to do with vinum" 
    Date: Fri, 10 Dec 2004 12:05:43 +0100
To: Ari Suutari <ari@suutari.iki.fi>

    Ari Suutari wrote:
    >
    > Hi,
    > >> With the changes you can chose whether you want to do firewallig before
    > >> ipsec processing or after but not both.
    > >
    > > I am unsure if I get that right but that's what the ipsec flag in
    > > ipfw2 is for and it is heavily used to filter ipsec encrypted traffic
    > > and the same traffic, tagged to come from an ipsec tunnel, afterwards.
    > >
    > > If your changes won't handle this you will break too many IPSec GWs I
    > > think.
    > >
    >
    > At least I do filtering both before and after ipsec. Typical case
    > is that before ipsec I allow only esp from peer's ipsec box, after
    > ipsec I allow some tcp ports if (and only if) the packet has
    > originated from ipsec (I use ipsec flag).
    >
    > So being able to filter traffic both before and after is necessary,
    > it is very well possible right now, if one uses IPSEC_FILTERGIF
    > kernel option and ipfw "ipsec" flag. Please don't break this, it has
    > been broken
    > more or less in various releases (or at least there have been
    > differences how firewalling works with ipsec stuff).
    >
    > However, feel free to fix the remaining problems for *outgoing*
    > traffic.

    All I intend to provide is a way to specify whether you want IPSEC before
    or after pfil_hooks. By default it will be as it is today and work exactly
    the same. 

    -- 
Andre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Kevin Day: "Re: Very strange kevent problem possibly to do with vinum"

    Relevant Pages