Impossible to IPfilter this?
Lupe Christoph
lupe at lupe-christoph.de
Tue Jun 10 22:27:31 PDT 2003
On Tuesday, 2003-06-10 at 16:07:44 -0700, Crist J. Clark wrote:
> On Sat, Jun 07, 2003 at 01:15:40PM +0200, Lupe Christoph wrote:
> > block in log quick from any to 172.17.0.7
> > It is not attached to any interface, so it should supposedly work even
> > for tunnelled traffic. Only it doesn't.
> Not sure who told you that, but it won't affect tunneled traffic. Not
> specifying an interface just means that it will be applied to all
> interfaces.
Sigh. I noticed. It was just a try, nobody told me.
> > PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked.
> > It would be interesting to put the IPSec code in this picture. Are
> > IPSec packets going through *any* of them? With/out GIF?
> Here's what happens (approximately), the packets get fed to the
> ip_input() routine. They pass through IPFilter then IPFW. Later they
> find themselves in IPsec processing where the packets are taken out of
> the tunnel. At this point, the packets are fed back into ip_input(),
> BUT the reinjected packets skip all firewall processing on this
> pass. With the IPSEC_FILTERGIF option set, the packets _will_ go
> through the firewall, IPFilter then IPFW, after IPsec processing.
... even if they are not passing through a GIF interface? My LINT says
# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
# to be processed by any configured packet filtering (ipfw, ipf).
And I could not get GIF to work with FreeS/WAN.
> However, there may be an ugly hack to try here. I think I might try it
> on one of my experimental setups at home. It may be possible to set up
> some additional IPsec policies to block the traffic you want to stop.
That could be very interesting.
Thank you!
Lupe Christoph
--
| lupe at lupe-christoph.de | http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze |
| "Thief of Time", Terry Pratchett |
More information about the freebsd-security
mailing list