Impossible to IPfilter this?

[Lupe Christoph]

Hi!

I'm trying to increase security on my FreeBSD 4.8 firewall/DSL router/VPN 
router.

My problem is with firewalling the VPN part. I'm using a tunnel to a
RedHat 7.1 box running FreeS/WAN. This tunnel allows traffic from my
internal net (172.17.0.0/24) to that box only:

spdadd 172.17.0.0/24 $REDHAT/32 any -P out ipsec esp/tunnel/$MYADDR-$REDHAT/unique;
spdadd $REDHAT/32 172.17.0.0/24 any -P in  ipsec esp/tunnel/$REDHAT-$MYADDR/unique;

What I want to do is prohibit traffic from $REDHAT to 172.17.0.7, the
internal address of this FreeBSD box. I'm using IPFilter, so I inserted
a rule like this:

block in   log  quick  from any  to 172.17.0.7 

It is not attached to any interface, so it should supposedly work even
for tunnelled traffic. Only it doesn't.

I tried using GIF devices, but could not get them to work with
FreeS/WAN 1.95. Did anybody accomplish this?

I remember talk on this mailing list about making IPSec use an interface
even when it is not run with GIFs. I have not followed the FreeBSD 5
work. Is this being integrated there? It would be very useful for this
kind of situation, and I'm using it on some other FreeS/WAN box I
maintain. But I want to secure my firewall against the other side being
taken over, so this does not help me here.

Any hints how to resolve this are welcome. I don't think this is a
general IPFilter problem, hence I'm asking on this mailing list rather
than that for IPFilter.

Thank you,
Lupe Christoph

PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked.
    It would be interesting to put the IPSec code in this picture. Are
    IPSec packets going through *any* of them? With/out GIF?
-- 
| lupe at lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze                         |
| "Thief of Time", Terry Pratchett                                       |