Date: Tue, 26 Nov 2002 07:19:13 -0600 From: Greg Panula <greg.panula@dolaninformation.com> To: "Patrick M. Hausen" <hausen@punkt.de> Cc: FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION ANDQUESTIONS Message-ID: <3DE374D1.AE5A27A3@dolaninformation.com> References: <200211211504.gALF4Sej086710@hugo10.ka.punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
"Patrick M. Hausen" wrote: > > Hi! > > > Glad I didn't know this in advance as that is exactly what I believe I > > have. Two FreeBSD systems, one on each end connected to cable modem. > > About 8 machines behind one on 192.168.100.0/24 and 10 or 15 behind the > > other on 10.0.0.0/24. An ESP tunnel between. > > ;-) > > > Other than my decrypted packets have started appearing to ipfw as if > > they were coming from fxp1 (which is what started this mess) everything > > else is working just fine. > > It is only filtering the decrypted packets that I'm talking about > all the time. It's impossible to build a filter that says: > > - ESP from my peer is OK > - 10... to 192.168... is OK if it's coming out of the ESP tunnel > - 10... to 192.168... is _not_ OK if it's coming in my external IF > in plain text > > If you want to allow the derypted traffic in, you have to allow all > traffic with identical addresses, even if it hasn't arrived > through the ESP tunnel but just came to the outside IF of your > network by some other route. Huh? What about an ipfw ruleset something like.... # allow ipsec esp tunnel between me and peer allow esp from peer to me via ext.nic allow esp from me to peer via ext.nic # drop bogus traffic from 10.0.0.0/8 arriving on external nic deny ip from 10... to any in via ext.nic # allow private traffic between location to flow allow ip from 10... to 192.168... out via int.nic allow ip from 192.168... to 10... in via int.nic Granted the ruleset above assumes you are *not* using gif tunnels, just ipsec tunnels. The encrypted traffic arrives on the external interface, is decrypted and passed back to the kernel for routing&filtering. Ipfw rules for the internal nic then allow or deny the traffic. Or did I miss something? Thanks, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DE374D1.AE5A27A3>