[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-bugs
Subject: kern/98219: pf needs a way of matching on decapsulated IPSEC packets
From: Dmitry Andrianov <dimas () dataart ! com>
Date: 2006-05-31 14:53:11
Message-ID: 200605311453.k4VErBls069809 () www ! freebsd ! org
[Download RAW message or body]
> Number: 98219
> Category: kern
> Synopsis: pf needs a way of matching on decapsulated IPSEC packets
> Confidential: no
> Severity: non-critical
> Priority: low
> Responsible: freebsd-bugs
> State: open
> Quarter:
> Keywords:
> Date-Required:
> Class: change-request
> Submitter-Id: current-users
> Arrival-Date: Wed May 31 15:00:36 GMT 2006
> Closed-Date:
> Last-Modified:
> Originator: Dmitry Andrianov
> Release: 6.0
> Organization:
> Environment:
FreeBSD 6.0-RELEASE #0
> Description:
It seems there is no way to distinguis ordinary packet arrived from the wire from the \
one decapsulated from IPSEC ESP packet. When kernel is build with IPSEC_FILTERGIF, \
decapsulated packet appears arriving on the same interface on which original ESP \
packet arrived.
Normally you have to enable ESP packets:
pass in quick on fxp0 proto esp from $vpn_peer to fxp0:any
But to avoid dropping decapsulated packets by firewall, you also need
pass in quick on fxp0 from $vpn_remote_net to $local_net
But this rule will also allow any packet with spoofed IPs pretending to be from \
vpn_net to local_net to be accepted and processed.
> How-To-Repeat:
> Fix:
> Release-Note:
> Audit-Trail:
> Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic