Hi, I don't think this is quite correct.
The fact that I have a tunnel means I have some relation with the other network, and that I do not trust the network(s) between us. It does NOT mean that I trust their security setup and want to receive any packet that they send me. So I would certainly hope that I have the option of filtering. Cheers, Alex Le Heux On Mon, Jan 14, 2002 at 05:32:11PM +0530, Kshitij Gunjikar wrote: > > > Hi Rene, > I'm wondering why do you want to filter Secure traffic? > > The very fact that you have a tunnel to a place means you trust that > network. Hence, why filter? > > What are the complex situations you have in mind? > > Regards > Kshitij > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Rene de Vries > Sent: Sunday, January 13, 2002 10:32 PM > To: [EMAIL PROTECTED] > Subject: Filtering packets received through an ipsec tunnel > > > Hello, > > > This message was already posted to [EMAIL PROTECTED], but with > > limited success. I'm hoping that someone on [EMAIL PROTECTED] can give me > > some more information. > > By experimenting with ipsec and looking at the source of "ip_input.c" a > co-worker and I found the following out. > > When a ipsec tunnel packet is received this (protocol 50/51) packet is > passed through ip-filter (& co). After filtering and when it has been > determent that the current host is the destination (tunnel end-point), > this packet is decrypted/verified. The decrypted packet is then pushed > back into the queue that leads to ip_input(...). So far so good.... > > But once in ip_input(...) the filtering code is skipped and we were > wondering why. > > I know that ipsec has some handles to be able to filter on address, > protocol and/or port. But for more complex situations this is not > enough. In these situations it would be nice to be able to use > ip-filter (& co) on traffic from the tunnel (and also for traffic going > into the tunnel). > > I was wondering why this is implemented the way it is. Maybe someone on > this list could shed a light on this? > > Rene > -- > Rene de Vries <[EMAIL PROTECTED]> > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message -- "My theory is that the (Internet) industry was started in large part by technologists rather than media people..." - Robin Webster, President, Interactive Advertising Bureau To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
