Re: Flaw in ipsec.conf(5)?

Jason McIntyre Sat, 28 May 2016 16:17:23 -0700

On Fri, May 27, 2016 at 01:21:55PM +0200, Bruno Flueckiger wrote:
> After discussing this with Philipp Buehler off list I have reworked my
> diff to make things easier in the example.
> 
> The paragraph which contains set skip on enc0 just before the ruleset
> is removed. All filtering in the rule set is done on sk0, skipping enc0
> entirely.
> 
> The new rule set looks like this:
> 
> block on sk0
> set skip on enc0
> 
> pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \
>       port {500, 4500}
> pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \
>       port {500, 4500}
> 
> pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
> pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
> 
> pass  in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \
>       keep state (if-bound)
> pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \
>       keep state (if-bound)
>


what then is the point of this section? to tell us to not filter
ipsec traffic?

what really needs to happen is for developers concerned with ipsec to
either recognise a change and adjust the filter rules accordingly, or
to say the idea of filtering enc traffic no longer makes sense and to
remove the section. or to tell you what's in ipsec.conf(5) is correct,
and why.

until that happens, the text will remain, i think.

jmc

> 
> Index: sbin/ipsecctl/ipsec.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
> retrieving revision 1.151
> diff -u -p -r1.151 ipsec.conf.5
> --- sbin/ipsecctl/ipsec.conf.5        9 Dec 2015 21:41:50 -0000       1.151
> +++ sbin/ipsecctl/ipsec.conf.5        27 May 2016 11:07:55 -0000
> @@ -493,20 +493,12 @@ Match traffic of phase 2 SAs using the
>  keyword.
>  .El
>  .Pp
> -If the filtering rules specify to block everything by default,
> -the following rule
> -would ensure that IPsec traffic never hits the packet filtering engine,
> -and is therefore passed:
> -.Bd -literal -offset indent
> -set skip on enc0
> -.Ed
> -.Pp
>  In the following example, all traffic is blocked by default.
>  IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and
>  networks {10.0.1.0/24, 10.0.2.0/24} is permitted.
>  .Bd -literal -offset indent
>  block on sk0
> -block on enc0
> +set skip on enc0
>  
>  pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \e
>       port {500, 4500}
> @@ -516,13 +508,9 @@ pass out on sk0 proto udp from 192.168.3
>  pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
>  pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
>  
> -pass  in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e
> -     keep state (if-bound)
> -pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e
> -     keep state (if-bound)
> -pass  in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e
> +pass  in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \e
>       keep state (if-bound)
> -pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e
> +pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \e
>       keep state (if-bound)
>  .Ed
>  .Pp

Re: Flaw in ipsec.conf(5)?

Reply via email to