From owner-freebsd-security Wed Apr 11 8:31:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id E5A5F37B422 for ; Wed, 11 Apr 2001 08:31:52 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by proxy.centtech.com (8.8.4/8.6.9) id KAA08072; Wed, 11 Apr 2001 10:31:34 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by proxy.centtech.com via smap (V2.0/2.1+anti-relay+anti-spam) id xma008070; Wed, 11 Apr 01 10:31:10 -0500 Received: from centtech.com (shiva [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id KAA06903; Wed, 11 Apr 2001 10:31:10 -0500 (CDT) Message-ID: <3AD478BE.E19A16F@centtech.com> Date: Wed, 11 Apr 2001 10:31:10 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Lowell Gilbert Cc: Rasputin , freebsd-security@freebsd.org Subject: Re: Interaction between ipfw, IPSEC and natd References: <20010410181407.A1011@linnet.org> <20010411100036.B63302@dogma.freebsd-uk.eu.org> <44bsq331ck.fsf@lowellg.ne.mediaone.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was having a hard time getting NATD to work with ipfw and IPSEC, so I tried IPFILTER (ipf) and ipnat, and they work fairly well together.. The firewall rules are still a pain to get working however, but I'm much farther along than I was with ipfw and NATD. Eric Lowell Gilbert wrote: > > rara.rasputin@virgin.net (Rasputin) writes: > > > Does anybody know if ipfilter has similar problems with IPSec? > > Some forms of IPSEC have fundamental problems with packet rewriting, > which means that NAT is extremely hard to use in an IPSEC environment. > Notably, end-to-end IPSEC modes are broken, although router-based > tunnels can be a problem depending on whether the NAT rewriting occurs > before or after the IPSEC headers are applied. > > Even without NAT, though, firewalls are a little tricky to configure > for IPSEC packets. This is because the firewall can't see the > protocol ports (or even the protocol, for that matter) in the packet, > so you have to make pass/drop decisions for IPSEC packets without that > information. Both ipfilter and ipfw have some ability to deal with IP > options, but it's a little limited in both cases and I'm too far out > of my depth to speculate on what the right approach to firewalling > IPSEC would be. > > Be well. > Lowell Gilbert > -- > Everybody is ignorant, only on different subjects. > -- Will Rogers > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 To see a need and wait to be asked, is to already refuse. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message