(review request) ipfw and ipsec processing order
foroutgoingpackets
Andre Oppermann
andre at freebsd.org
Fri Dec 10 03:05:40 PST 2004
Ari Suutari wrote:
>
> Hi,
> >> With the changes you can chose whether you want to do firewallig before
> >> ipsec processing or after but not both.
> >
> > I am unsure if I get that right but that's what the ipsec flag in
> > ipfw2 is for and it is heavily used to filter ipsec encrypted traffic
> > and the same traffic, tagged to come from an ipsec tunnel, afterwards.
> >
> > If your changes won't handle this you will break too many IPSec GWs I
> > think.
> >
>
> At least I do filtering both before and after ipsec. Typical case
> is that before ipsec I allow only esp from peer's ipsec box, after
> ipsec I allow some tcp ports if (and only if) the packet has
> originated from ipsec (I use ipsec flag).
>
> So being able to filter traffic both before and after is necessary,
> it is very well possible right now, if one uses IPSEC_FILTERGIF
> kernel option and ipfw "ipsec" flag. Please don't break this, it has
> been broken
> more or less in various releases (or at least there have been
> differences how firewalling works with ipsec stuff).
>
> However, feel free to fix the remaining problems for *outgoing*
> traffic.
All I intend to provide is a way to specify whether you want IPSEC before
or after pfil_hooks. By default it will be as it is today and work exactly
the same.
--
Andre
More information about the freebsd-net
mailing list