Impossible to IPfilter this?

Lupe Christoph lupe at lupe-christoph.de
Tue Jun 10 22:27:31 PDT 2003


On Tuesday, 2003-06-10 at 16:07:44 -0700, Crist J. Clark wrote:
> On Sat, Jun 07, 2003 at 01:15:40PM +0200, Lupe Christoph wrote:

> > block in   log  quick  from any  to 172.17.0.7 

> > It is not attached to any interface, so it should supposedly work even
> > for tunnelled traffic. Only it doesn't.

> Not sure who told you that, but it won't affect tunneled traffic. Not
> specifying an interface just means that it will be applied to all
> interfaces.

Sigh. I noticed. It was just a try, nobody told me.

> > PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked.
> >     It would be interesting to put the IPSec code in this picture. Are
> >     IPSec packets going through *any* of them? With/out GIF?

> Here's what happens (approximately), the packets get fed to the
> ip_input() routine. They pass through IPFilter then IPFW. Later they
> find themselves in IPsec processing where the packets are taken out of
> the tunnel. At this point, the packets are fed back into ip_input(),
> BUT the reinjected packets skip all firewall processing on this
> pass. With the IPSEC_FILTERGIF option set, the packets _will_ go
> through the firewall, IPFilter then IPFW, after IPsec processing.

... even if they are not passing through a GIF interface? My LINT says

# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
# to be processed by any configured packet filtering (ipfw, ipf).

And I could not get GIF to work with FreeS/WAN.

> However, there may be an ugly hack to try here. I think I might try it
> on one of my experimental setups at home. It may be possible to set up
> some additional IPsec policies to block the traffic you want to stop.

That could be very interesting.

Thank you!
Lupe Christoph
-- 
| lupe at lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze                         |
| "Thief of Time", Terry Pratchett                                       |


More information about the freebsd-security mailing list