On Mon, 4 Mar 2002, Crist J. Clark wrote:

> > #workstation
> > ipfw add 10 allow esp from any to any
> >
> > Now, everything works fine. But I would like to be able to firewall the
> > packets *after* they are translated by IPSec (ESP) with IPFW? How would I
> > do that? They seem to only pass into IPFW once, not twice.. Can you run IPF
> > with IPFW to do it, and in that case which firewalling system gets matched
> > first?
>
> Yep. They go through ipfw(8) once. If you run ipf(8), they go through
> ipf(8) then ipfw(8)... once.

You _can't_ fliter packets "*after* they are translated by IPSec". It's
because of the change in ip_input.c which happened about summer. This is a
patch that I have to apply to the most of my natd/gateways machines to get
NAT work:
=======================================================================
--- ip_input.c.orig Thu Jan 17 20:32:21 2002
+++ ip_input.c Thu Jan 17 20:32:58 2002
-391,10 +391,12
                        m_adj(m, ip->ip_len - m->m_pkthdr.len);
        }

+/* XXX breaks tunnels/nat/etc
 #ifdef IPSEC
        if (ipsec_gethist(m, NULL))
                goto pass;
 #endif
+*/

        /*
         * IpHack's section.
=======================================================================

*** WBR, Alexey Zakirov (frankagava.com)

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]