Re: PFIL for IPsec tunneled packets (was: reverse processing order: NAT, IPsec?)

[Hubert Feyrer <hubert%feyrer.de@localhost>]

On Thu, 25 Jun 2009, Edgar Fuß wrote:
> Applying this "fix"  would break my installation. At least as long as 
> those packets are indistinguishable from non-IPsec traffic arriving on 
> the same interface. Currently, packets arriving on the gateway's 
> external interface but appearing to come from an internal network are 
> dropped by anti-spoofing filter rules. ESP traffic passes, and the 
> de-encapsulated packets are never seen again by the packet filter. If 
> they were, they should be somehow marked as being 
> de-encapsulated---otherwise they would be dropped by the anti-spoof 
> rules.

Are you sure? Looking at the code, only the pfil_run_hooks() call is ran 
only for encapsulated packages, everything else is outside that codepath.
Or do you have those anti-spoofing rules in your packet filter 
(PF/IPfilter) config?

Also, if you don't run the PFIL_HOOKS on the decapsulated package, how do 
you prevent someone from sending "internal" packets via IPSEC - plain 
trust?


 - Hubert (still trying to get a grip on the code)