Re: Flaw in ipsec.conf(5)?

Fri, 27 May 2016 04:48:41 -0700 

After discussing this with Philipp Buehler off list I have reworked my
diff to make things easier in the example.

The paragraph which contains set skip on enc0 just before the ruleset
is removed. All filtering in the rule set is done on sk0, skipping enc0
entirely.

The new rule set looks like this:

block on sk0
set skip on enc0

pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \
        port {500, 4500}
pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \
        port {500, 4500}

pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2

pass  in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \
        keep state (if-bound)
pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \
        keep state (if-bound)


Index: sbin/ipsecctl/ipsec.conf.5
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.151
diff -u -p -r1.151 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5  9 Dec 2015 21:41:50 -0000       1.151
+++ sbin/ipsecctl/ipsec.conf.5  27 May 2016 11:07:55 -0000
@@ -493,20 +493,12 @@ Match traffic of phase 2 SAs using the
 keyword.
 .El
 .Pp
-If the filtering rules specify to block everything by default,
-the following rule
-would ensure that IPsec traffic never hits the packet filtering engine,
-and is therefore passed:
-.Bd -literal -offset indent
-set skip on enc0
-.Ed
-.Pp
 In the following example, all traffic is blocked by default.
 IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and
 networks {10.0.1.0/24, 10.0.2.0/24} is permitted.
 .Bd -literal -offset indent
 block on sk0
-block on enc0
+set skip on enc0
 
 pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \e
        port {500, 4500}
@@ -516,13 +508,9 @@ pass out on sk0 proto udp from 192.168.3
 pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
 pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
 
-pass  in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e
-       keep state (if-bound)
-pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e
-       keep state (if-bound)
-pass  in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e
+pass  in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \e
        keep state (if-bound)
-pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e
+pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \e
        keep state (if-bound)
 .Ed
 .Pp

Reply via email to