From owner-freebsd-security@FreeBSD.ORG Sat Jun 7 04:38:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD2C637B401 for ; Sat, 7 Jun 2003 04:38:00 -0700 (PDT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D52943F93 for ; Sat, 7 Jun 2003 04:37:59 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])h57BbtJ09418 for ; Sat, 7 Jun 2003 13:37:57 +0200 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id DB3425E5; Sat, 7 Jun 2003 13:15:40 +0200 (CEST) Date: Sat, 7 Jun 2003 13:15:40 +0200 To: freebsd-security@FreeBSD.ORG Message-ID: <20030607111540.GC4812@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i From: lupe@lupe-christoph.de (Lupe Christoph) Subject: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jun 2003 11:38:01 -0000 Hi! I'm trying to increase security on my FreeBSD 4.8 firewall/DSL router/VPN router. My problem is with firewalling the VPN part. I'm using a tunnel to a RedHat 7.1 box running FreeS/WAN. This tunnel allows traffic from my internal net (172.17.0.0/24) to that box only: spdadd 172.17.0.0/24 $REDHAT/32 any -P out ipsec esp/tunnel/$MYADDR-$REDHAT/unique; spdadd $REDHAT/32 172.17.0.0/24 any -P in ipsec esp/tunnel/$REDHAT-$MYADDR/unique; What I want to do is prohibit traffic from $REDHAT to 172.17.0.7, the internal address of this FreeBSD box. I'm using IPFilter, so I inserted a rule like this: block in log quick from any to 172.17.0.7 It is not attached to any interface, so it should supposedly work even for tunnelled traffic. Only it doesn't. I tried using GIF devices, but could not get them to work with FreeS/WAN 1.95. Did anybody accomplish this? I remember talk on this mailing list about making IPSec use an interface even when it is not run with GIFs. I have not followed the FreeBSD 5 work. Is this being integrated there? It would be very useful for this kind of situation, and I'm using it on some other FreeS/WAN box I maintain. But I want to secure my firewall against the other side being taken over, so this does not help me here. Any hints how to resolve this are welcome. I don't think this is a general IPFilter problem, hence I'm asking on this mailing list rather than that for IPFilter. Thank you, Lupe Christoph PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked. It would be interesting to put the IPSec code in this picture. Are IPSec packets going through *any* of them? With/out GIF? -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |