Requireing IPsec on wi interface?
borjamar at sarenet.es
Thu Apr 3 00:41:40 PST 2003
On Tuesday 14 January 2003 06:30, Ben Pfountz wrote:
> I noticed that when I upgraded to 4.7-STABLE, the kernel has changed the
> way ipfw handles IPsec packets. After IPsec processes the packets, it
> passes the packets to the firewall without the ESP flag set. Before the
> upgrade to 4.7-STABLE, I was using the firewall to prevent all but ESP
> packets on that interface. Now, I cant figure out how to firewall all
> but IPsec packets on my wireless interface. I would like to get IPsec
> going instead of wep, but I would need to somehow block non-ESP packets.
> Anybody have any suggestions?
I have exactly the same problem. I upgraded my system to -STABLE and had
to go back to RELENG_4_7.
I think this is a serious problem. Packets coming through a tunnel should
be seen in a different way than packets received at the interface.
Of course, with the old behavior, you always trust the packets you receive
through a tunnel, but I think the behavior currently implemented in
-STABLE is far worse; you cannot do this sort of configuration.
Protecting the interface with rules such as these has another important
advantage: it protects you from configuration errors. In case you forget
anything (or there is a problem with IPSec) you make sure that no
unencrypetd packets will leave the interface.
Would it be possible to have an added flag to ipfw rules identifying the
tunnel, or something like that?
More information about the freebsd-mobile