(review request) ipfw and ipsec processing order
foroutgoingpackets
Ari Suutari
ari at suutari.iki.fi
Tue Dec 7 00:43:21 PST 2004
Hi,
> But I may be
> missing something because I can see no way in firewall rules to
> distinguish between the before IPSec processing hook and the after IPSec
> processing one. Could you clarify this for me please ?
There is a keyword "ipsec" in ipfw2, which matches if packet has emerged
from ipsec tunnel. To match packet before ipsec stack, use protocol
esp/ah
in ipfw rule. To match packet after ipsec stack, use tcp/udp/ip as
protocol
and "ipsec" keyword.
The problem is that this doesn't work for outgoing packets, which breaks
at least statefull rules.
Ari S.
More information about the freebsd-net
mailing list