Hi, I noticed that processing order of ipsec and ipfw (pfil_hook) is not correct for outgoing packets. Currently, ipsec processing is done first, which makes packets to go through without firewall inspection. This might be a security problem for someone, but at least it breaks stateful rule handling. My test setup is (all freebsd 5.3-rc1 machines): freebsd laptop <-> ipsec tunnel <->freebsd server When server sends packet to laptop, it now goes like this: ip_output -> ipsec -> ip_output -> ipfw -> network It should go like this: ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network I think that this could be fixed by just moving pfil_hook processing in ip_output before ipsec processing. Ari S.Received on Sat Oct 30 2004 - 04:28:00 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:20 UTC