From: Sono C. <so...@ch...> - 2006-05-25 20:06:38
|
Curious to know if one can filter ip/port somehow? All my firewall rules are being bypassed due to ESP encrypting the tcp header, openBSD provides a interface on which you can filter (enc0) does anything like this exist in the freebsd or linux world? Thanks, Sono |
From: VANHULLEBUS Y. <va...@fr...> - 2006-05-27 12:59:10
|
On Thu, May 25, 2006 at 02:06:33PM -0600, Sono Chhibber wrote: > Curious to know if one can filter ip/port somehow? All my firewall rules are > being bypassed due to ESP encrypting the tcp header, openBSD provides a > interface on which you can filter (enc0) does anything like this exist in the > freebsd or linux world? Hi. I sent a FreeBSD pr with a patch for enc0 support, which seems to need some more works (some people reported me that they are working on some things to make it work with pf). Yvan. |
From: Christian K. <ck-...@ck...> - 2006-05-27 15:10:47
|
Hi, On Sat, 27 May 2006, VANHULLEBUS Yvan wrote: > On Thu, May 25, 2006 at 02:06:33PM -0600, Sono Chhibber wrote: >> Curious to know if one can filter ip/port somehow? All my firewall rules are >> being bypassed due to ESP encrypting the tcp header, openBSD provides a >> interface on which you can filter (enc0) does anything like this exist in the >> freebsd or linux world? > > Hi. > > I sent a FreeBSD pr with a patch for enc0 support, which seems to need > some more works (some people reported me that they are working on some > things to make it work with pf). there is also a kernel option that enables filtering of ipsec packets: # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). # The default is that packets coming from a tunnel are _not_ processed; # they are assumed trusted. # options IPSEC_FILTERGIF #filter ipsec packets from a tunnel dispite of the slightly misleading name this will enbale filtering any packets coming from an ipsec tunnel using the ipsec keyword. There is no need to use the gif interface. Greetings Christian -- Christian Kratzer ck...@ck... CK Software GmbH http://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136 |
From: Sono C. <so...@ch...> - 2006-05-30 17:56:28
|
Hi Yvan, I saw the patch you submitted, by any chance do you know of a timeframe for it to be implemented? Thanks, Sono On Sat, 27 May 2006 14:58:38 +0200, VANHULLEBUS Yvan wrote > On Thu, May 25, 2006 at 02:06:33PM -0600, Sono Chhibber wrote: > > Curious to know if one can filter ip/port somehow? All my firewall rules are > > being bypassed due to ESP encrypting the tcp header, openBSD provides a > > interface on which you can filter (enc0) does anything like this exist in the > > freebsd or linux world? > > Hi. > > I sent a FreeBSD pr with a patch for enc0 support, which seems to > need some more works (some people reported me that they are working > on some things to make it work with pf). > > Yvan. > > ------------------------------------------------------- > All the advantages of Linux Managed Hosting--Without the Cost and Risk! > Fully trained technicians. The highest number of Red Hat > certifications in the hosting industry. Fanatical Support. Click to > learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 > _______________________________________________ > Ipsec-tools-users mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users -- Open WebMail Project (http://openwebmail.org) |
From: Sono C. <so...@ch...> - 2006-05-30 18:04:45
|
Thanks for the info Christian, Are you aware if this works with transport mode? Just to clarify, enabling options IPSEC_FILTERGIF #filter ipsec packets will enable me to filter on interface where IPsec has been used with out using something like enc0 or gif interfaces? I also noticed mention of ipfw and ipf, I am assuming this works for pf as well? Thanks Sono. Do you know this will work with trasnport mode? On Sat, 27 May 2006 17:10:31 +0200 (CEST), Christian Kratzer wrote > Hi, > > On Sat, 27 May 2006, VANHULLEBUS Yvan wrote: > > On Thu, May 25, 2006 at 02:06:33PM -0600, Sono Chhibber wrote: > >> Curious to know if one can filter ip/port somehow? All my firewall rules are > >> being bypassed due to ESP encrypting the tcp header, openBSD provides a > >> interface on which you can filter (enc0) does anything like this exist in the > >> freebsd or linux world? > > > > Hi. > > > > I sent a FreeBSD pr with a patch for enc0 support, which seems to need > > some more works (some people reported me that they are working on some > > things to make it work with pf). > > there is also a kernel option that enables filtering of > ipsec packets: > > # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel > # to be processed by any configured packet filtering (ipfw, ipf). > # The default is that packets coming from a tunnel are _not_ processed; > # they are assumed trusted. > # > options IPSEC_FILTERGIF #filter ipsec packets > from a tunnel > > dispite of the slightly misleading name this will enbale filtering > any packets coming from an ipsec tunnel using the ipsec keyword. > There is no need to use the gif interface. > > Greetings > Christian > > -- > Christian Kratzer ck...@ck... > CK Software GmbH http://www.cksoft.de/ > Phone: +49 7452 889 135 Fax: +49 7452 889 136 > > ------------------------------------------------------- > All the advantages of Linux Managed Hosting--Without the Cost and Risk! > Fully trained technicians. The highest number of Red Hat > certifications in the hosting industry. Fanatical Support. Click to > learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 > _______________________________________________ > Ipsec-tools-users mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users -- Open WebMail Project (http://openwebmail.org) |
From: Christian K. <ck...@ck...> - 2006-05-31 18:11:10
|
Hi, On Tue, 30 May 2006, Sono Chhibber wrote: > Thanks for the info Christian, > > Are you aware if this works with transport mode? > > Just to clarify, enabling > > options IPSEC_FILTERGIF #filter ipsec packets > > will enable me to filter on interface where IPsec has been used with out using > something like enc0 or gif interfaces? it has nothing to do with enc0 or gif. With IPSEC_FILTERGIF enabled you can use the ipsec keyword in ipfw to match packets received over ipsec. See the ipfw man page and search for ipsec. We use it for filtering traffic over esp tunnels. No gif or enc involved. Transport mode should work just as well. > I also noticed mention of ipfw and ipf, I am assuming this works for pf as well? pf does not yet support the ipsec keyword. Check following pr: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/98219 Greetings Christian -- Christian Kratzer ck...@ck... CK Software GmbH http://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136 |