Hi,
I am experiencing the same problem as well when I updated from a March 6, 2004 -CURRENT to the October 19, 2004 -CURRENT. The problem still exists with the October 27, 2004 -CURRENT. I'm using ipfw/dummynet for outgoing queues with the ACK packets having the highest priority in it's own queue. However, it seems like while the queues are there, the information on ipfw queue show doesn't update at all as the Source and Destination IP is still the same as the first packet after bootup while the counters change but the ACK packets are not sent on it's own queue but rather with all other packets. I know it is related with pfil_hook when ipfw was converted.
This is not related to pfil_hook conversion. The problem is also present in
FreeBSD 4.x-STABLE (just tested it). I think that history of ipfw and ipsec
interaction goes like this:
- in the very beginning, a packet that was processed by ipsec didn't
hit ipfw at all in unencrypted form, ie. one was able to able to filter esp
and ah protocols only.
- someone fixed this, apparently for incoming packets only, but this
some folks were upset by the fact that they would have to add a rule
for unencrypted protocols into ipfw. At that time (in ipfw1), there was
possibility to check that unencrypted packet actually came from ipsec
(ie. ipfw ipsec flag wasn't implemented)
- IPSEC_FILTERGIF option was added. If set, incoming packets go
through ipfw twice (encrypted and unencrypted). If not set, packets go
to ipfw only once (encrypted).
Currently outgoing packets are always processed like IPSEC_FILTERGIF was
not set (I like to have it set, because I need quite fine-grained firewalling
even inside my ipsec tunnels, which are between different companies). What
I was suggesting (ie. moving pfil_hook processing in ip_output before
ipsec stuff) wasn't really correct: This change should be conditional based on
IPSEC_FILTERGIF setting: The change I described should be done only
when IPSEC_FILTERGIF is set.
Now, ip_output is quite central part in ip stack. I would be happy if someone
who knows that part better than me could implement this (I can sure test it easily).
Ari S.
Cheers, Vince
On Sat, 30 Oct 2004 09:27:50 +0300, Ari Suutari <[EMAIL PROTECTED]> wrote:Hi,
I noticed that processing order of ipsec and ipfw (pfil_hook) is not correct for outgoing packets. Currently, ipsec processing is done first, which makes packets to go through without firewall inspection. This might be a security problem for someone, but at least it breaks stateful rule handling.
My test setup is (all freebsd 5.3-rc1 machines):
freebsd laptop <-> ipsec tunnel <->freebsd server
When server sends packet to laptop, it now goes like this:
ip_output -> ipsec -> ip_output -> ipfw -> network
It should go like this:
ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network
I think that this could be fixed by just moving pfil_hook processing in ip_output before ipsec processing.
Ari S.
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
