Date: Wed, 11 Apr 2001 10:31:10 -0500 From: Eric Anderson <anderson@centtech.com> To: Lowell Gilbert <lowell@world.std.com> Cc: Rasputin <rara.rasputin@virgin.net>, freebsd-security@freebsd.org Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <3AD478BE.E19A16F@centtech.com> References: <20010410181407.A1011@linnet.org> <20010411100036.B63302@dogma.freebsd-uk.eu.org> <44bsq331ck.fsf@lowellg.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I was having a hard time getting NATD to work with ipfw and IPSEC, so I tried IPFILTER (ipf) and ipnat, and they work fairly well together.. The firewall rules are still a pain to get working however, but I'm much farther along than I was with ipfw and NATD. Eric Lowell Gilbert wrote: > > rara.rasputin@virgin.net (Rasputin) writes: > > > Does anybody know if ipfilter has similar problems with IPSec? > > Some forms of IPSEC have fundamental problems with packet rewriting, > which means that NAT is extremely hard to use in an IPSEC environment. > Notably, end-to-end IPSEC modes are broken, although router-based > tunnels can be a problem depending on whether the NAT rewriting occurs > before or after the IPSEC headers are applied. > > Even without NAT, though, firewalls are a little tricky to configure > for IPSEC packets. This is because the firewall can't see the > protocol ports (or even the protocol, for that matter) in the packet, > so you have to make pass/drop decisions for IPSEC packets without that > information. Both ipfilter and ipfw have some ability to deal with IP > options, but it's a little limited in both cases and I'm too far out > of my depth to speculate on what the right approach to firewalling > IPSEC would be. > > Be well. > Lowell Gilbert > -- > Everybody is ignorant, only on different subjects. > -- Will Rogers > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 To see a need and wait to be asked, is to already refuse. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD478BE.E19A16F>