I am experiencing the same problem as well when I updated from a March 6, 2004 -CURRENT to the October 19, 2004 -CURRENT. The problem still exists with the October 27, 2004 -CURRENT. I'm using ipfw/dummynet for outgoing queues with the ACK packets having the highest priority in it's own queue. However, it seems like while the queues are there, the information on ipfw queue show doesn't update at all as the Source and Destination IP is still the same as the first packet after bootup while the counters change but the ACK packets are not sent on it's own queue but rather with all other packets. I know it is related with pfil_hook when ipfw was converted. Cheers, Vince On Sat, 30 Oct 2004 09:27:50 +0300, Ari Suutari <ari_at_suutari.iki.fi> wrote: > Hi, > > I noticed that processing order of ipsec and ipfw (pfil_hook) is not > correct for outgoing packets. Currently, ipsec processing is done first, > which makes packets to go through without firewall inspection. > This might be a security problem for someone, but at least it > breaks stateful rule handling. > > My test setup is (all freebsd 5.3-rc1 machines): > > freebsd laptop <-> ipsec tunnel <->freebsd server > > When server sends packet to laptop, it now goes like this: > > ip_output -> ipsec -> ip_output -> ipfw -> network > > It should go like this: > > ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network > > I think that this could be fixed by just moving pfil_hook > processing in ip_output before ipsec processing. > > Ari S. > > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org" > >Received on Mon Nov 01 2004 - 01:43:44 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:20 UTC