Hi,
Here are two small patches (done on 5.1-RELEASE, but should
be ok for -current also) which add new "ipsec" flag to ipfw2.
Rules with this flag match only packets that have
ipsec history (ie. came from ipsec processing). Rules with
"not ipsec" match only non-ipsec packets. Without
the new keyword, both types of packets match (as before).
To try these out, apply the patches, and compile
kernel with
options IPFIREWALL
options IPSEC
options IPSEC_ESP
options IPSEC_FILTERGIF
Also, recompile /usr/src/sbin/ipfw and install it.
With the new flag it is possible easily to
stop spoofing from RFC1918 networks, but
allow traffic from those nets if it is coming
from IPsec:
ipfw add deny all from 192.168.0.0/16 to any via ${oif} not ipsec
ipfw add pass tcp from 192.168.x.y/24 to a.b.c.d 23 ipsec setup
This example drops spoofed packets, but allows
telnet connection *if* the packet comes via ipsec.
My testing has been done on 5.1-RELEASE machine.
It seems to work, and it didn't crash anything.
I hope that this flag is useful to others too, maybe
someone could get it committed into -current ?
Ari S.
Lappeenranta, Finland
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
