tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: PFIL for IPsec tunneled packets (was: reverse processing order: NAT, IPsec?)

On Thu, 25 Jun 2009, Edgar Fuß wrote:
Applying this "fix" would break my installation. At least as long as those packets are indistinguishable from non-IPsec traffic arriving on the same interface. Currently, packets arriving on the gateway's external interface but appearing to come from an internal network are dropped by anti-spoofing filter rules. ESP traffic passes, and the de-encapsulated packets are never seen again by the packet filter. If they were, they should be somehow marked as being de-encapsulated---otherwise they would be dropped by the anti-spoof rules.

Are you sure? Looking at the code, only the pfil_run_hooks() call is ran only for encapsulated packages, everything else is outside that codepath. Or do you have those anti-spoofing rules in your packet filter (PF/IPfilter) config?

Also, if you don't run the PFIL_HOOKS on the decapsulated package, how do you prevent someone from sending "internal" packets via IPSEC - plain trust?

 - Hubert (still trying to get a grip on the code)

Home | Main Index | Thread Index | Old Index