Hi Rene,
I'm wondering why do you want to filter Secure traffic?
The very fact that you have a tunnel to a place means you trust that
network. Hence, why filter?
What are the complex situations you have in mind?
Regards
Kshitij
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Rene de Vries
Sent: Sunday, January 13, 2002 10:32 PM
To: [EMAIL PROTECTED]
Subject: Filtering packets received through an ipsec tunnel
Hello,
> This message was already posted to [EMAIL PROTECTED], but with
> limited success. I'm hoping that someone on [EMAIL PROTECTED] can give me
> some more information.
By experimenting with ipsec and looking at the source of "ip_input.c" a
co-worker and I found the following out.
When a ipsec tunnel packet is received this (protocol 50/51) packet is
passed through ip-filter (& co). After filtering and when it has been
determent that the current host is the destination (tunnel end-point),
this packet is decrypted/verified. The decrypted packet is then pushed
back into the queue that leads to ip_input(...). So far so good....
But once in ip_input(...) the filtering code is skipped and we were
wondering why.
I know that ipsec has some handles to be able to filter on address,
protocol and/or port. But for more complex situations this is not
enough. In these situations it would be nice to be able to use
ip-filter (& co) on traffic from the tunnel (and also for traffic going
into the tunnel).
I was wondering why this is implemented the way it is. Maybe someone on
this list could shed a light on this?
Rene
--
Rene de Vries <[EMAIL PROTECTED]>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
