Re: PFIL for IPsec tunneled packets

[Edgar Fuß <ef%math.uni-bonn.de@localhost>]

> Are you sure?
Quite.
First, I block.
Then I pass loopback, then my own broadcasts.
After that, I have anti-spoof rules.
Then, I pass ESP, AH and UDP/IKE and ICMP for the IPsec peers.

> Or do you have those anti-spoofing rules in your packet filter  
> (PF/IPfilter) config?
Yes, but I don't understand what you mean by "or".

> Also, if you don't run the PFIL_HOOKS on the decapsulated package, how do 
> you prevent someone from sending "internal" packets via IPSEC - plain  
> trust?
Yes. I trust the IPsec peer (because it's run by me).

Not that I'm against running de-encapsulated trough the filter again (to the 
contrary, I would like that idea). Only, those packets must be distinguishable 
from packets arriving in the clear.