[ previous ] [ next ] [ threads ]
 From:  Lists at edain <lists at edain dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  mk at neon1 dot net
 Subject:  Re: [m0n0wall] IPSEC Site-to-site VPN firewall
 Date:  Wed, 08 Jun 2005 21:05:59 +0200
Manuel Kasper wrote:
 >The problem with filtering IPsec traffic is not that the decrypted
 >packets don't pass through ipfilter - they can be made to do that.
 >Actually, if IPSEC_FILTERGIF is set in the kernel config, IPsec
 >tunnel traffic passes through the filter twice - once when it comes
 >in as ESP packets (where it doesn't make much sense to filter yet
 >though), and again as decrypted packets on the same interface
 >(usually WAN). Unfortunately, AFAIK there's no way to distinguish
 >between successfully decrypted ESP packets and regular unencrypted
 >packets once they hit ipfilter, so you might actually permit
 >undesirable unencrypted packets as well. This is the reason why
 >IPSEC_FILTERGIF is not set in m0n0wall kernels.

I was searching for a way to filter decrypted IPSec traffic in m0n0wall 
and found the above post on the list. (in the archive: 

Just evaluating m0n0wall to replace a Lancom 1611 (there are a lot of 
pros on both sides...)
Well, Lancom has the ability to filter decrypted traffic and I don't 
want to miss that.

Has it ever been discussed to use the "out" keyword of ipfilter to get a 
hand on the decrypted traffic?
If I remember the packet flow correctly it is:


for incoming traffic on each interface.

With filter_rules_ipsec_generate() you let in encrypted traffic. When 
the default pass out filter for lanif was left out, one had the ability 
to filter for the decrypted traffic leaving the lan interface.
Of course this would made rule setting more complicated but could be 
done in sth like advanced mode.
This would not affect RFC1918 blocking and spoof check on WAN.

Sorry if this already has been discussed, but I found nothing in the 


-Bjoern Euler