ipsec packet filtering
Nickolay A. Kritsky
nkritsky at star-sw.com
Thu Jul 29 20:58:44 PDT 2004
Hello freebsd-net,
From searching the archives this looks like an old issue, but I
still can't understand something.
AFAIU, now the ipfw + ipsec interoperation looks like this:
input: encrypted packet comes to system. It is not checked against
ipfw rules. Rules are applied to decrypted payload packet.
output: packet is going to leave the system encrypted by ipsec. The
packet itself is not checked by firewall, but, after encryption, the
resulting ESP packet is run against ipfw rules.
I am sorry, but I still cannot understand the reasons for such
strange, ugly behaviour. Does anybody knows the reasons for that and
what chances are that we ever get fully-functional ipfw code
checking _every_ packet on the stack.
Thanks.
--
Best regards,
; Nickolay A. Kritsky
; SysAdmin STAR Software LLC
; mailto:nkritsky at star-sw.com
More information about the freebsd-net
mailing list