Date: Tue, 20 Feb 2001 03:19:16 +0100 From: Rocco Lucia <rlucia@elisa.utopianet.net> To: Chris Johnson <cjohnson@palomine.net> Cc: security@FreeBSD.ORG Subject: Re: Firewall rules with natd and IPSEC VPN Message-ID: <20010220031916.A20586@iscanet.com> In-Reply-To: <20010219173539.A75521@palomine.net>; from cjohnson@palomine.net on Mon, Feb 19, 2001 at 05:35:39PM -0500
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 19, 2001 at 05:35:39PM -0500, Chris Johnson wrote:
> ...
> It mostly works as I'd hoped, but I'm a little hazy on what firewall rules need
> to be in place. Before I implemented the VPN, I had:
>
> add divert 8668 ip from any to any via dc0
> [a bunch of other stuff]
>
> I found that in order to make the VPN work, I had to change this to:
>
> ipfw add allow ip from 192.168.11.0/24 to 192.168.5.0/24
> ipfw add allow ip from 192.168.5.0/24 to 192.168.11.0/24
> add divert 8668 ip from any to any via dc0
> [a bunch of other stuff]
>
> With the above rules, things seem to work. But the two rules I added before the
> divert rule make me a little nervous. Should they? Is there something more
> restrictive that will still work?
>
those two rules will prevent to be diverted to natd all traffic to going
to the other private lan, so it will just be routed into your IPSEC tunnel.
If you want to apply firewall filtering rules between your private
lans you can do one of the following things:
1. add ipfw allow rules terminated by a deny rule specifying "via
gif0" or whatever your tunnel interface is (before those 2 catch
all lan-to-lan rules).
2. not to use your first two rules and allow/deny traffic
at your will, before your divert catch all rule
... or other fancy ways of course.
> My ipsec.conf file has the following:
>
> spdadd 192.168.5.0/24 192.168.11.0/24 any -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;
> spdadd 192.168.11.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;
>
> Does this protect me from someone spoofing a 192.168.5.0/24 address and getting
> something through my firewall, since any packet arriving from 192.168.5.0/24
> will have the above security policy applied to it? (Obviously my understanding
> of this IPSEC stuff is a little vague; thanks for your patience.)
>
well, that will not prevent spoofing at the ingres points of your
tunnels (say somebody sending spoofed traffic from your dc0 interface).
But you can filter out spoofed traffic by deny'ing packets with
source/dest your private lans received from your dc0 interface (say
ipfw deny ... in recv dc0).
ciao,
Rocco
--
Rocco Lucia
Iscanet Internet Services
rlucia@iscanet.com
System and Network Admin
http://elisa.utopianet.net/~rlucia
Free unices for a free world. Support *BSD.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010220031916.A20586>