From owner-freebsd-stable Tue Nov 26 5:19:23 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA17D37B401 for ; Tue, 26 Nov 2002 05:19:21 -0800 (PST) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id E86AD43E88 for ; Tue, 26 Nov 2002 05:19:20 -0800 (PST) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 43973 invoked by uid 0); 26 Nov 2002 13:19:15 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 0.473409 secs); 26 Nov 2002 13:19:15 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: hausen@punkt.de,FreeBSD-stable@FreeBSD.ORG X-Qmail-Scanner: 1.15 (Clear:. Processed in 0.473409 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 26 Nov 2002 13:19:14 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 26 Nov 2002 07:19:14 -0600 Message-ID: <3DE374D1.AE5A27A3@dolaninformation.com> Date: Tue, 26 Nov 2002 07:19:13 -0600 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Patrick M. Hausen" Cc: FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION ANDQUESTIONS References: <200211211504.gALF4Sej086710@hugo10.ka.punkt.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Patrick M. Hausen" wrote: > > Hi! > > > Glad I didn't know this in advance as that is exactly what I believe I > > have. Two FreeBSD systems, one on each end connected to cable modem. > > About 8 machines behind one on 192.168.100.0/24 and 10 or 15 behind the > > other on 10.0.0.0/24. An ESP tunnel between. > > ;-) > > > Other than my decrypted packets have started appearing to ipfw as if > > they were coming from fxp1 (which is what started this mess) everything > > else is working just fine. > > It is only filtering the decrypted packets that I'm talking about > all the time. It's impossible to build a filter that says: > > - ESP from my peer is OK > - 10... to 192.168... is OK if it's coming out of the ESP tunnel > - 10... to 192.168... is _not_ OK if it's coming in my external IF > in plain text > > If you want to allow the derypted traffic in, you have to allow all > traffic with identical addresses, even if it hasn't arrived > through the ESP tunnel but just came to the outside IF of your > network by some other route. Huh? What about an ipfw ruleset something like.... # allow ipsec esp tunnel between me and peer allow esp from peer to me via ext.nic allow esp from me to peer via ext.nic # drop bogus traffic from 10.0.0.0/8 arriving on external nic deny ip from 10... to any in via ext.nic # allow private traffic between location to flow allow ip from 10... to 192.168... out via int.nic allow ip from 192.168... to 10... in via int.nic Granted the ruleset above assumes you are *not* using gif tunnels, just ipsec tunnels. The encrypted traffic arrives on the external interface, is decrypted and passed back to the kernel for routing&filtering. Ipfw rules for the internal nic then allow or deny the traffic. Or did I miss something? Thanks, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message