From owner-freebsd-questions Tue Apr 10 10:14:15 2001 Delivered-To: freebsd-questions@freebsd.org Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by hub.freebsd.org (Postfix) with ESMTP id 3F03D37B422; Tue, 10 Apr 2001 10:14:09 -0700 (PDT) (envelope-from b.candler@pobox.com) Received: from gate.lon.uk.worldonline.com ([212.74.96.2] helo=bloodhound.uk.worldonline.com) by internal.mail.telinco.net with esmtp (Exim 3.02 #1) id 14n1iS-0005fL-00; Tue, 10 Apr 2001 18:14:08 +0100 Received: from brian by bloodhound.uk.worldonline.com with local (Exim 3.22 #1) id 14n1iR-0000Gq-00; Tue, 10 Apr 2001 18:14:07 +0100 Date: Tue, 10 Apr 2001 18:14:07 +0100 From: Brian Candler To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Interaction between ipfw, IPSEC and natd Message-ID: <20010410181407.A1011@linnet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Is there any documentation on how ipfw, natd and IPSEC interact with each other? In particular, - what is the order of processing of inbound and outbound packets? - when packets are re-injected by natd, where in the whole system are they re-injected? - do packets reinjected by natd still match 'in via ' or 'out via '? (OK, I could determine this one experimentally, but I'd still like to see it documented :-) I see that by default FreeBSD puts its natd divert rule right at the very top of the ruleset, but I have found that this stops IPSEC processing working. I can make it work by putting natd lower down: e.g. add 01000 permit ip from 10.0.0.0/8 to 10.0.0.0/8 # private addrs add 02000 divert 8668 ip from any to any via xl0 # external i/face Here, subnets of 10.0.0.0/8 are behind the 'private' interface and also the remote endpoints of IPSEC tunnels; there are IPSEC SA's which define them exactly. However in this case I find it difficult to add anti-spoofing rules on external interfaces without breaking either IPSEC or NAT. Note that even in the presence of IPSEC, anti-spoofing rules _are_ still required. For example, I have an SA which says spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any -P out none; spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any -P in none; (where 10.0.1.0/24 is the locally-attached subnet and other downstream subnets are within the /20). This is in order to allow local, non-encrypted traffic to be routed via this box. However the presence of this SA means that I really need an anti-spoofing filter on the public interface to prevent packets matching this null SA being injected from outside. In the end, I want to build a firewall with: - antispoofing on all interfaces - various IPSEC tunnels to distant subnets of private network - natd for sessions going out of "public" interface - the ability to add other ipfw policy controls and not only should it work, but I should also have some confidence that it is actually secure and doing what I intend - which means I really need to understand how all these bits fit together :-) Thanks, Brian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message