(review request) ipfw and ipsec processing order
ari at suutari.iki.fi
Tue Dec 7 00:43:21 PST 2004
> But I may be
> missing something because I can see no way in firewall rules to
> distinguish between the before IPSec processing hook and the after IPSec
> processing one. Could you clarify this for me please ?
There is a keyword "ipsec" in ipfw2, which matches if packet has emerged
from ipsec tunnel. To match packet before ipsec stack, use protocol
in ipfw rule. To match packet after ipsec stack, use tcp/udp/ip as
and "ipsec" keyword.
The problem is that this doesn't work for outgoing packets, which breaks
at least statefull rules.
More information about the freebsd-net