From owner-freebsd-questions Fri May 4 16:21:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from sleipner.eiffel.dk (sub19-229.member.dsl-only.net [63.105.19.229]) by hub.freebsd.org (Postfix) with ESMTP id 5167F37B424 for ; Fri, 4 May 2001 16:21:44 -0700 (PDT) (envelope-from flemming@froekjaer.org) Received: from eiffel.dk (localhost.eiffel.dk [127.0.0.1]) by sleipner.eiffel.dk (8.11.1/8.11.1) with SMTP id f44NL9g42550 for ; Fri, 4 May 2001 16:21:10 -0700 (PDT) (envelope-from flemming@froekjaer.org) Received: from 63.105.19.225 (SquirrelMail authenticated user flemming) by sleipner.eiffel.dk with HTTP; Fri, 4 May 2001 16:21:10 -0700 (PDT) Message-ID: <3174.63.105.19.225.989018470.squirrel@sleipner.eiffel.dk> Date: Fri, 4 May 2001 16:21:10 -0700 (PDT) Subject: ipsec/ipfw combination insecure? From: "=?iso-8859-1?Q?Flemming_Frøkjær?=" To: questions@freebsd.org X-Mailer: SquirrelMail (version 1.0.3) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG When using ipsec to set up a VPN, address translation is taking place before ipfw gets the packets. This means that ipfw sees the packets from the remote RFC1918 network as coming from the external network interface, and thus one is forced to bore a gaping hole for incoming traffic in that IP range for the VPN to work. As far as I know, hackers can easily spoof their IP, so it will look like their packets are coming from that very same IP range. Am I too paranoid here, or is there really a security problem with this? If there is, what can be done about it? If there isn't, why not? Thanks... \Flemming To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message