From owner-freebsd-stable Sun Jul 7 13:16:28 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C922837B400 for ; Sun, 7 Jul 2002 13:16:24 -0700 (PDT) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C26D43E58 for ; Sun, 7 Jul 2002 13:16:23 -0700 (PDT) (envelope-from Helge.Oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (firewall-user@dehsfw3e.origin-it.net [194.8.96.68]) by mizar.origin-it.net (8.12.5/8.12.5/hmo27jun02) with ESMTP id g67KGLlg068320 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 7 Jul 2002 22:16:21 +0200 (CEST) (envelope-from Helge.Oldach@atosorigin.com) Received: from galaxy.de.cp.philips.com (galaxy.de.cp.philips.com [130.143.166.29]) by matar.hbg.de.int.atosorigin.com (8.12.3/8.12.3/hmo06may02) with ESMTP id g67KGKNr013650; Sun, 7 Jul 2002 22:16:20 +0200 (CEST) (envelope-from Helge.Oldach@atosorigin.com) Received: (from hmo@localhost) by galaxy.de.cp.philips.com (8.9.3/8.9.3/hmo01jul02) id WAA20544; Sun, 7 Jul 2002 22:16:19 +0200 (MET DST) Message-Id: <200207072016.WAA20544@galaxy.de.cp.philips.com> Subject: Re: IPsec and IPfilter interaction In-Reply-To: <20020707213133.A56630@psconsult.nl> from Paul Schenkeveld at "Jul 7, 2002 9:31:33 pm" To: fb-stable@psconsult.nl (Paul Schenkeveld) Date: Sun, 7 Jul 2002 22:16:19 +0200 (MET DST) Cc: freebsd-stable@FreeBSD.ORG From: Helge Oldach X-Address: Atos Origin GmbH, Billstrasse 80, D-20539 Hamburg, Germany X-Phone: +49 40 7886 464, Fax: +49 40 7886 235, Mobile: +49 160 4782517 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Paul Schenkeveld: >(Not sure if this is the right list to discuss this, point me to a >better list please if I'm wrong.) -questions? > The configuration of the SPD for tunnel mode is very similar to that > of transport mode. The major change that is done is the use of the > gif(4) device to get the routing correct. Note that traffic is *not* > transported through the gif(4) tunnel! Instead the IPsec code in the > kernel grabs the packets according to the specified policy and wraps > them with the correct IP addresses for the IPsec tunnel. Oops. I think I wrote this. :-) >Tunnel traffic coming in on the external interface (fxp1) all looks >like "proto ah" to IPfilter. It looks like I cannot access the TCP, >UDP or ICP payload at this point, which makes sense to me. > >Does this mean that I can only filter TCP, UDP, ICMP traffic coming out of >the tunnel when it leaves the firewall thru the internal interface (fxp0)? > >So all listening sockets inside the firewall are completely open to >traffice coming from the tunnel? Actually you can (and want to!) filter for AH (or, if you're using tunnel mode, ESP) protocols and drop any TCP, UDP and ICMP traffic. Dropping ICMP completely is probably not wise - at least you want to allow ICMP from the peers you are talking AH (or ESP) to. Further, allowing a tcp/telnet resp. tcp/ssh to and from the remote site would probably be reasonable. >Or am I wrong here and is there a way to completely screen all tunnel >traffic after the IPsec encapsulation is peeled off? AFAIK not. I'd say this wouldn't be very sensible anyway. By setting up a security association with the peer you are basically trusting him. You can still do filtering on the inside interface of course. Helge To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message