From owner-freebsd-security@FreeBSD.ORG Tue May 6 22:53:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FB4B37B401 for ; Tue, 6 May 2003 22:53:02 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 5D5BE43FA3 for ; Tue, 6 May 2003 22:53:00 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 19115 invoked from network); 7 May 2003 05:47:04 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 7 May 2003 05:47:04 -0000 Received: (qmail 5589 invoked by uid 1000); 7 May 2003 05:50:36 -0000 Date: Wed, 7 May 2003 08:50:36 +0300 From: Peter Pentchev To: Danny Carroll Message-ID: <20030507055036.GA665@straylight.oblivion.bg> Mail-Followup-To: Danny Carroll , Matt Piechota , "freebsd-security@freebsd.org" References: <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> <20030501104614.A29056@chaos.obstruction.com> <1052214194.d45fa9082ef35@www.dannysplace.com> <20030506092623.I56271@cithaeron.argolis.org> <1052258867.b640e23b86613@www.dannysplace.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <1052258867.b640e23b86613@www.dannysplace.com> User-Agent: Mutt/1.5.4i cc: "freebsd-security@freebsd.org" Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 05:53:02 -0000 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 07, 2003 at 12:07:47AM +0200, Danny Carroll wrote: > > On Tue, 6 May 2003, Danny Carroll wrote: > > > FYI I have done this in ipfw/natd... It's just as easy. I think I o= nly > added > > > one rule to my firewall and nothing to my natd.conf > > > > > > Now I can vpn from any machine on the internal lan to multiple vpn's. > > > If you want I can send you the ruleset. > > > > Please do! I was just working up to converting, but if it works, this'= ll > > be much easier. > > Matt Piechota >=20 >=20 > Umm I looked at my ruleset and I found nothing... > Then I remembered what I needed to do.. >=20 > Basically 90% of the rulesets out there work on allowing IP and UDP > But since esp is a different protocol to IP, it gets dropped. You have a very good point here, if by 'IP and UDP' you actually meant to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or ESP packet is an IP packet at the same time. If you meant to say that most firewalls only allow TCP and UDP packets, then this is absolutely true: a firewall that only allows TCP and UDP, then denies all the rest of IP traffic without special provisions for ICMP or ESP, would certainly not let any IPsec traffic through. Come to think of it, a firewall that only allows TCP and UDP traffic and then denies any other IP traffic, including ICMP, is doing a great disservice to both itself, its internal network, and the Internet at large. This has been said many, many times in many forums, but still: some ICMP messages are not only beneficial, they are essential for the correct operation of the network. Firewalling all ICMP traffic is a very bad idea. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+uJ6s7Ri2jRYZRVMRAkWHAJ0ZwTQEKJTL1PMxWa+e+BeAI4vfqACcC6qM Jiw94KGpLbAq2vUZ0TwUUT4= =e7Fl -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA--