kern/90181: IPSEC_FILTERGIF documentation is incomplete

Yuriy Tsibizov Yuriy.Tsibizov at gfk.ru
Sat Dec 10 03:10:05 PST 2005 

>Number:         90181
>Category:       kern
>Synopsis:       IPSEC_FILTERGIF documentation is incomplete
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 10 11:10:03 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Yuriy Tsibizov
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD free.home.local 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Sat Dec 10 12:16:33 MSK 2005 chibis at free.home.local:/usr/obj/usr/src/sys/FREE-IPSEC i386

>Description:
    /usr/src/sys/conf/NOTES does not document all consequences of adding
    IPSEC_FILTERGIF to kernel configuration. It decribes that this option
    only affects decrypted packets coming from IPSec-encrypted gif tunnel. 
    In reality it will also allow filtering of all decryped IPSec data 
    (like transport mode ESP tunnels). 
    ipfw "ipsec" option also work for all decrypted packets, if this kernel
    option is enabled.

>How-To-Repeat:
    I can't check it on real network, only on loopback (lo0).

    (kernel configuration:
options 	IPSEC			#IP security
options 	IPSEC_ESP		#IP security (crypto; define w/ IPSEC)
options 	IPSEC_FILTERGIF		#filter ipsec packets from a tunnel

options 	IPFIREWALL		#firewall
options 	IPFIREWALL_VERBOSE	#enable logging to syslogd(8)
options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
    )

    1. Add IPSEC configuration for lo0 interface:
setkey flush;
setkey add 127.0.0.1 127.0.0.1 esp 0x1001 -E des-cbc 0x0000000000000001;

setkey 127.0.0.1/32 127.0.0.1/32 any -P out ipsec esp/tunnel/127.0.0.1-127.0.0.1/require;
setkey 127.0.0.1/32 127.0.0.1/32 any -P in  ipsec esp/tunnel/127.0.0.1-127.0.0.1/require;

    2. Add IPFW configuration:
ipfw flush
ipfw add allow log logamount 100 esp from any to any
ipfw add deny log logamount 100 ip from any to any

    3. Ping localhost

    4. Look into security log, you will get
Dec 10 12:25:15 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 out via lo0
Dec 10 12:25:15 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 in via lo0
Dec 10 12:25:15 free kernel: ipfw: 200 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0

    5. Change IPFW configuration:
ipfw flush
ipfw add allow log logamount 100 esp from any to any
ipfw add allow log logamount 100 ip from any to any ipsec
ipfw add deny log logamount 100 ip from any to any

    6. Ping localhost

    7. You will get
Dec 10 12:32:36 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 out via lo0
Dec 10 12:32:36 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 in via lo0
Dec 10 12:32:36 free kernel: ipfw: 200 Accept ICMP:0.0 127.0.0.1 127.0.0.1 in via lo0
    in your seurity log.
    
>Fix:
    Update NOTES:
#
# Set IPSEC_FILTERGIF to force packets coming from IPSec
# to be processed by any configured packet filtering (ipfw, ipf).
# The default is that these packets are _not_ processed;
# they are assumed trusted.
#
# IPSEC history is preserved for such packets, and can be filtered
# using ipfw(8)'s 'ipsec' keyword, when this option is enabled.
#

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list