Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 7 Jul 2002 22:16:19 +0200 (MET DST)
From:      Helge Oldach <helge.oldach@atosorigin.com>
To:        fb-stable@psconsult.nl (Paul Schenkeveld)
Cc:        freebsd-stable@FreeBSD.ORG
Subject:   Re: IPsec and IPfilter interaction
Message-ID:  <200207072016.WAA20544@galaxy.de.cp.philips.com>
In-Reply-To: <20020707213133.A56630@psconsult.nl> from Paul Schenkeveld at "Jul 7, 2002  9:31:33 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
Paul Schenkeveld:
>(Not sure if this is the right list to discuss this, point me to a
>better list please if I'm wrong.)

-questions?

>    The configuration of the SPD for tunnel mode is very similar to that
>    of transport mode. The major change that is done is the use of the
>    gif(4) device to get the routing correct. Note that traffic is *not*
>    transported through the gif(4) tunnel! Instead the IPsec code in the
>    kernel grabs the packets according to the specified policy and wraps
>    them with the correct IP addresses for the IPsec tunnel.

Oops. I think I wrote this. :-)

>Tunnel traffic coming in on the external interface (fxp1) all looks
>like "proto ah" to IPfilter.  It looks like I cannot access the TCP,
>UDP or ICP payload at this point, which makes sense to me.
>
>Does this mean that I can only filter TCP, UDP, ICMP traffic coming out of
>the tunnel when it leaves the firewall thru the internal interface (fxp0)?
>
>So all listening sockets inside the firewall are completely open to
>traffice coming from the tunnel?

Actually you can (and want to!) filter for AH (or, if you're using
tunnel mode, ESP) protocols and drop any TCP, UDP and ICMP traffic.
Dropping ICMP completely is probably not wise - at least you want to
allow ICMP from the peers you are talking AH (or ESP) to. Further,
allowing a tcp/telnet resp. tcp/ssh to and from the remote site would
probably be reasonable.

>Or am I wrong here and is there a way to completely screen all tunnel
>traffic after the IPsec encapsulation is peeled off?

AFAIK not. I'd say this wouldn't be very sensible anyway. By setting up
a security association with the peer you are basically trusting him.

You can still do filtering on the inside interface of course.

Helge

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207072016.WAA20544>