IP SEC filtering issue

From: Alwyn Goodloe (agoodloe_at_saul.cis.upenn.edu)
Date: 05/28/03

  • Next message: Simon L. Nielsen: "Re: FW: Question about logging." 
    Date: Wed, 28 May 2003 16:44:14 -0400 (EDT)
To: freebsd-security@FreeBSD.ORG

    First thing to note is that I am using FreeBSD 4.8 .

    We would like to send only the syn packet of a tcp connection through
    certain ipsec tunnels and the rest of the packets in a connection though
    a simple transport mode setup. Yeah, I know it's strange but what can I
    say -- we do a lot of strange things. From the best I can tell, the
    setkey/spadd filtering capability isn't sophisticated enough to detect
    syn packets. Since ipfw does do this sort of thing we can use this to
    filter out the syn packet and using divert sockets (we have a lot of
    experience at writing divert sockets) we can put a wrapper
    around it so that it goes to a particular port. Since ip sec can filter on
    ports, we can just filter that out. The process should look something
    like:

    syn ---> diverted and wrapped to head for port X ---->
             ipsec filters on port X sends it into tunnel .........

     ........... ipsec does its thing ---> divert socket unwraps ---> sends
    the packet on its way (not passing though ip sec again).

    The divert socket solution seems to work fine on the sending side, but
    there seems to be problems on the receiving side. I suspect that ipfw is
    looking at the packet before ipsec or some such thing. I know that there
    were postings about the interaction of ipfw and ipsec and that some of
    these were going to be fixed in 4.8.

      If any of you know of a way to get ipsec to filter on syn packets let me
    know. If you have ever tried to get divert sockets and ip sec working at
    the same time let me know the secret. I suspect I'm just going to have
    to hack the ipsec filter to get it to filter on syn packets. Any ideas as
    to how hard this will be

    Alwyn Goodloe

    agoodloe@saul.cis.upenn.edu

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Simon L. Nielsen: "Re: FW: Question about logging."

    Relevant Pages

    • Re: IP SEC filtering issue
      ... different machines. ... the IPSEC processing gets done it the kernel, ... > filter out the syn packet and using divert sockets (we have a lot ... > If any of you know of a way to get ipsec to filter on syn packets ...
      (FreeBSD-Security)
    • Re: IP SEC filtering issue
      ... > the IPSEC processing gets done it the kernel, ... we can just filter that out. ... >> If any of you know of a way to get ipsec to filter on syn packets ...
      (FreeBSD-Security)
    • Re: shooting up a FreeBSD Server
      ... With your chef? ... more TCP port open is to send a bunch of SYN packets. ... a new TCP connection, and your computer must keep the information ... ones are bad and which ones are legitimate? ...
      (comp.unix.bsd.freebsd.misc)
    • Re: [Full-disclosure] Port 8041 Syn flood
      ... the TCP connection to complete and you'll see what happens after the ... > Jackson McKinley wrote: ... > that this is not a known attack vector or a developing attack path. ... > What I am getting is a lot of SYN packets to port 8041. ...
      (Full-Disclosure)