Bug 249972 - Trusted hosts in rc.firewall are only trusted in one direction
Summary: Trusted hosts in rc.firewall are only trusted in one direction
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 12.1-RELEASE
Hardware: i386 Any
: --- Affects Some People
Assignee: freebsd-rc (Nobody)
Depends on:
Reported: 2020-09-29 01:01 UTC by Archit Shah
Modified: 2020-10-04 03:36 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Archit Shah 2020-09-29 01:01:00 UTC
I attempted to configure an IPSec transport mode connection between a host and a trusted peer (e.g. using the "workstation" mode ipfw firewall.  The firewall appears not to have allowed outgoing packets.  The following diff address the specific test case I had and appears to be consistent with the concept of a trusted peer.

> diff /etc/rc.firewall /tmp/rc.firewall.diff 
<         ${fwcmd} add pass ip from $i to me
>         ${fwcmd} add pass ip from $i to me keep-state :default

Alternatively, a second rule per trusted peer could be added to pass packets to the peer ("${fwcmd} add pass ip from me to $i").

Configuration example below:

Comment 1 Mark Linimon freebsd_committer freebsd_triage 2020-10-04 03:36:28 UTC
^Triage: assign to appropriate mailing list.
^Triage: reset the now-obsolete "patch" Keyword.