From owner-freebsd-security Mon Feb 19 14:35:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id DD52237B65D for ; Mon, 19 Feb 2001 14:35:40 -0800 (PST) Received: (qmail 75744 invoked by uid 1000); 19 Feb 2001 22:35:39 -0000 Date: Mon, 19 Feb 2001 17:35:39 -0500 From: Chris Johnson To: security@freebsd.org Subject: Firewall rules with natd and IPSEC VPN Message-ID: <20010219173539.A75521@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I followed the how-to at http://www.mutex.org/aaron/tips/ipsec and set up an encrypted VPN between two RFC 1918 networks. Each has a FreeBSD 4.2 box running natd, with a private interface and a public interface. The private network on one end is 192.168.11.0/24, and on the other end is 192.168.5.0/24. It mostly works as I'd hoped, but I'm a little hazy on what firewall rules need to be in place. Before I implemented the VPN, I had: add divert 8668 ip from any to any via dc0 [a bunch of other stuff] I found that in order to make the VPN work, I had to change this to: ipfw add allow ip from 192.168.11.0/24 to 192.168.5.0/24 ipfw add allow ip from 192.168.5.0/24 to 192.168.11.0/24 add divert 8668 ip from any to any via dc0 [a bunch of other stuff] With the above rules, things seem to work. But the two rules I added before the divert rule make me a little nervous. Should they? Is there something more restrictive that will still work? My ipsec.conf file has the following: spdadd 192.168.5.0/24 192.168.11.0/24 any -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require; spdadd 192.168.11.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require; Does this protect me from someone spoofing a 192.168.5.0/24 address and getting something through my firewall, since any packet arriving from 192.168.5.0/24 will have the above security policy applied to it? (Obviously my understanding of this IPSEC stuff is a little vague; thanks for your patience.) Chris Johnson --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6kZ+6yeUEMvtGLWERAtmXAJ4ot0YMqJ9uMWBUj9LgRUmqbi1DIgCfa2lk v0UejH9C+jIeIlD1ewz+jgE= =tQ6k -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message