kern/97057: IPSEC + pf needs note?
Giorgos Keramidas
keramida at ceid.upatras.gr
Fri Jun 23 16:38:24 UTC 2006
On 2006-06-02 09:50, Max Laier <max at love2party.net> wrote:
> Hi,
> anyone up for taking responsibility for this? I don't think we
> should change GENERIC for it, but it should clearly be
> documented somewhere somehow.
>
> Thanks.
Copying the text of the report here too:
# Message-Id: <200605092157.k49LvPN1061507 at www.freebsd.org>
# Date: Tue, 9 May 2006 21:57:25 GMT
# From: Dmitry Andrianov <freebsd at dima.spb.ru>
#
# When IPSEC is configured according to handbook
# ( http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html )
# but pf is us ed instead of ipfw, users experience very strange
# TCP connection stalls.
#
# In addition to me experiencing that problem
# ( http://lists.freebsd.org/pipermail/freebsd-pf/2006-May/002129.html )
#
# I believe followi ng reports also refer the same problem I had:
# http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008812.html
# http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008745.html
#
# The problem is caused by the fact PF can not properly track state
# because it does not see packets coming from the tunnel to gif
# inte rface. The problem is resolved by rebuilding kernel with
# IPSEC_FILTERGIF. And the real challenge is to find that solution
# because al l the references to that option say that it is needed
# if you want filtering on gif. I do NOT want filtering on gif, I
# want filtering on other interfaces but it does not work either.
#
# In my opinion, IPSEC_FILTERGIF option should be on by default. If
# it is absolutely unacceptable, documentation should be fixed to
# re flect "side effect" of enabling IPSEC/FAST_IPSEC without
# IPSEC_FILTERGIF
Since the problem described can be a side-effect of the IPSEC
setup the Handbook describes, I guess we should fix the Handbook
to mention the IPSEC_FILTERGIF option.
Does the following look ok?
# giorgos at gothmog:/home/giorgos/ws/doc/en_US.ISO8859-1/books/handbook/security$ svk log -v -r 8:9
# ----------------------------------------------------------------------
# r9: giorgos | 2006-06-23 19:36:51 +0300
# Changed paths:
# M /trunk/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml
#
# Mention that IPSEC_FILTERGIF is needed to successfully use some of our
# firewalls and IPSEC at the same time.
# ----------------------------------------------------------------------
# giorgos at gothmog:/home/giorgos/ws/doc/en_US.ISO8859-1/books/handbook/security$ svk diff -v -r 8:9
# === chapter.sgml
# ==================================================================
# --- chapter.sgml (revision 8)
# +++ chapter.sgml (revision 9)
# @@ -3117,7 +3117,17 @@
# <quote>Fast IPsec</quote> subsystem in lieu of the KAME
# implementation of IPsec. Consult the &man.fast.ipsec.4;
# manual page for more information.</para>
# + </note>
#
# + <note>
# + <para>To let firewalls properly track state for &man.gif.4;
# + tunnels too, you have to enable the
# + <option>IPSEC_FILTERGIF</option> in your kernel
# + configuration:</para>
# +
# + <screen>
# +options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
# + </screen>
# </note>
#
# <indexterm>
# giorgos at gothmog:/home/giorgos/ws/doc/en_US.ISO8859-1/books/handbook/security$
More information about the freebsd-doc
mailing list