From owner-freebsd-ipfw Sun Apr 29 8:41:31 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from set.amduat.net (set.amduat.net [206.124.145.162]) by hub.freebsd.org (Postfix) with ESMTP id 38E6137B43E for <freebsd-ipfw@freebsd.org>; Sun, 29 Apr 2001 08:41:27 -0700 (PDT) (envelope-from jsbarrett@acm.org) Received: from acm.org (osiris.amduat.net [10.0.0.69]) by set.amduat.net (8.11.3/8.11.3) with ESMTP id f3TFfCV24975 for <freebsd-ipfw@freebsd.org>; Sun, 29 Apr 2001 08:41:12 -0700 (PDT) (envelope-from jsbarrett@acm.org) Message-ID: <3AEC3618.8000605@acm.org> Date: Sun, 29 Apr 2001 08:41:12 -0700 From: "Jacob S. Barrett" <jsbarrett@acm.org> Reply-To: jbarrett@amduat.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; 0.8.1) Gecko/20010323 X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: IPFW with IPSEC and odd rule matching Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am having a few problems with my firewall rules and ipsec tunnel. Here are my rules as they are now (well only the rules that apply to my proble). lnc0 = internal interface 10.0.0.0/16 ed0 = external interface 206.124.145.0/24 gif0 = ipsec tunnel 10.2.0.0/16 # standard anti-spoofing 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 10.0.0.0/16 to any in recv ed0 00400 deny ip from 206.124.145.0/24 to any in recv lnc0 ... # ipsec tunnel *** 00800 allow esp from 206.124.145.161 to 24.10.38.31 via ed0 00900 allow esp from 24.10.38.31 to 206.124.145.161 via ed0 01000 allow ip from 10.0.0.0/16 to 10.2.0.0/16 via gif0 01100 allow ip from 10.2.0.0/16 to 10.0.0.0/16 via ed0 # blocking private address from outside 01200 deny ip from any to 10.0.0.0/8 via ed0 01300 deny ip from any to 172.16.0.0/12 via ed0 01400 deny ip from any to 192.168.0.0/16 via ed0 ... # nat 02000 divert 8668 ip from any to any via ed0 # blocking private from inside 02100 deny ip from 10.0.0.0/8 to any via ed0 02200 deny ip from 172.16.0.0/12 to any via ed0 02300 deny ip from 192.168.0.0/16 to any via ed0 ... # allowing established 02900 allow tcp from any to any established 03000 allow ip from any to any frag ... # log attemped setups from outside. 05800 deny log logamount 100 tcp from any to any in recv ed0 setup # allow setups from inside. 05900 allow tcp from any to any setup # allow all internal 06000 allow ip from any to any via lnc0 # stop everything else 65535 deny ip from any to any All of this works right now with a few minor problems. The first oddity is that rule 1100 does not work if I specify "via gif0". If I do that then rule 1200 blocks all inbound because nothing matches 1100. That seems odd to me since the packets should be arriving on ed0 encapsulated in and ESP packet which matches 900. Then it should be decoded and come in on gif0. Am I mistaken? Does it really consider the decoded packet to have entered on ed0? The second oddity is that rule 800 never matches. It seems to me that the outbound ESP packets should have to match that rule to get out. I am not sure what other rule they would be matching to exit. When I use the Java application I whipped up to monitor the ipfw tables it doesn't indicate an obvious rule that is matching these packets. The only rules that are actively matching are 900, 1000, and 1100. Is there anything wrong with the way I have this all configured? I would appriciate any help you all have to offer. Thanks, Jake -- Jacob S. Barrett jsbarrett@acm.org www.amduat.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue May 1 5: 3:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from xogw.odey.co.uk (ip03.odey.adsl.uk.xo.com [195.147.191.155]) by hub.freebsd.org (Postfix) with ESMTP id 19C7A37B43C for <freebsd-ipfw@FreeBSD.ORG>; Tue, 1 May 2001 05:03:57 -0700 (PDT) (envelope-from B.Sutton@odey.co.uk) Received: (from nobody@localhost) by xogw.odey.co.uk (8.11.2/8.11.2) id f41D3Pl01987 for <freebsd-ipfw@FreeBSD.ORG>; Tue, 1 May 2001 13:03:25 GMT (envelope-from B.Sutton@odey.co.uk) X-Authentication-Warning: xogw.odey.co.uk: nobody set sender to <B.Sutton@odey.co.uk> using -f Received: from odeydom.odey.co.uk(192.168.100.4) by xogw.odey.co.uk via smap (V2.1/2.1+anti-relay+anti-spam) id xma001811; Tue, 1 May 01 13:02:55 GMT To: freebsd-ipfw@FreeBSD.ORG Subject: natd and ftp X-Mailer: Lotus Notes Release 5.0.4a July 24, 2000 Message-ID: <OF9463491D.3BC2D3CB-ON80256A3F.00417DDB@odey.co.uk> From: "Blair Sutton/Odey" <B.Sutton@odey.co.uk> Date: Tue, 1 May 2001 13:03:22 +0100 X-MIMETrack: Serialize by Router on odeydom/Odey(Release 5.0.6a |January 17, 2001) at 05/01/2001 01:03:20 PM, Serialize complete at 05/01/2001 01:03:20 PM MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Does anyone have a successful config for allowing ftp access from internal clients to external servers using natd. i.e. natd.conf and 'ipfw list'. I understand most of the concepts for ftp transactions, i.e. 1) client.X->server.21, 2) server.Y->client.20 or 1) client.X->server.21, 2) client.20->server.Y Thanks in advance. Blair. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message