Hello Markus, Monday, September 15, 2003, 8:12:10 AM, you wrote:
Markus> On Sun, Sep 14, 2003 at 10:30:43PM -0300, Alejandro G. Belluscio wrote: >> Hello pf, >> >> I always get my ideas just on the crunch pre Release ;-). The >> question is if it is planned to be able to tag packets on the isakmpd >> SA. Since all the packets get mixed into enc0, it's very difficult >> to filter an attack from a brain dead client's lan. If we could tag at >> least the origin the it could be easier to know whose the culprit. Off >> course I'm asuming that they would send forged IPs or something like >> that. >> Of course may be it's the wrong list to ask for it. If so, where >> should I ask? Markus> you could do this: Markus> pass in on $extern proto 50 from PEER1 to any tag VPNPEER1 keep state Markus> pass in on $extern proto 50 from PEER2 to any tag VPNPEER2 keep state Markus> and filter on enc0 using these tags. Markus> additionally, if the 'bad' client sends attack packets, Markus> these patches should be catched by the incoming flow's, i.e. Markus> they won't match the flows in netstat -nrfencap I though that they didn't kept tags when decrypting IPSec packets. I guess I should have waited to 3.4 and simply test it. Always speaking before think, not a good trait. -- Best regards, Alejandro Belluscio
