Date: Wed, 25 Oct 2000 22:06:16 +0400 (MSD) From: Andrey Rouskol <anry@sovintel.ru> To: Kris Kennaway <kris@citusc17.usc.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipsec and ipfw Message-ID: <Pine.BSF.4.21.0010252156300.8833-100000@anry.sovintel.ru> In-Reply-To: <20001025094231.A51227@citusc17.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 25 Oct 2000, Kris Kennaway wrote:
> On Wed, Oct 25, 2000 at 07:32:58PM +0400, Andrey Rouskol wrote:
>
> > I've found that in -current outgoing ipsec-packets (esp, ah) pass
> > without been filtered by ipfw and incoming deencapsulated traffic is not
> > filtered by ipfw too. So telnet connection over ipsec with statefull
> > filtering is dropped in 20 seconds (which is dyn_syn_lifetime). All tests
> > was made in 'transport' mode. Is this normal ?
>
> Please show us your ipsec configuration and ipfw rules.
Configs below. Rule 261 has counters from test time - it is not updated
during ping.
# ping 10.1.1.225
PING 10.1.1.225 (10.1.1.225): 56 data bytes
64 bytes from 10.1.1.225: icmp_seq=0 ttl=253 time=4.837 ms
64 bytes from 10.1.1.225: icmp_seq=1 ttl=253 time=4.482 ms
64 bytes from 10.1.1.225: icmp_seq=2 ttl=253 time=4.454 ms
^C
--- 10.1.1.225 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.454/4.591/4.837/0.174 ms
ipfw show:
00100 31184 24875678 allow ip from any to any via lo0
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00200 0 0 deny ip from any to 127.0.0.0/8
00250 0 0 allow log esp from any to 10.1.1.225 out
00251 4643 523472 allow log esp from 10.1.1.225 to any in
00252 0 0 allow ah from any to 10.1.1.225
00253 583 63244 allow ah from 10.1.1.225 to any
00260 3 252 allow log ip from any to 10.1.1.225 out
00261 10 1480 deny log ip from 10.1.1.225 to any in
00300 0 0 check-state
00350 28590 1433158 deny log tcp from any to any established
00800 375543 233329232 allow tcp from any to any keep-state out
00900 10345 968766 allow tcp from any to any 23,21 keep-state in
01000 5077 1427628 allow tcp from any to any 6000 keep-state in
01100 1917883 161015900 allow icmp from any to any
09000 6049 871798 allow udp from any to any 53 keep-state out
09100 0 0 allow log udp from any to any 69 in
09200 48 2682 allow log udp from any to any keep-state out
10000 101386 11335729 deny udp from any to any
10100 10 680 deny log ip from any to any
65535 0 0 deny ip from any to any
## Dynamic rules:
....
---------
setkey -c input:
flush ;
spdflush ;
add 10.2.1.239 10.1.1.225 esp 0x10001
-E des-cbc "ESP with"
-A hmac-md5 "authentication!!" ;
add 10.1.1.225 10.2.1.239 esp 0x10002
-E des-cbc "ESP with"
-A hmac-md5 "authentication!!" ;
spdadd 10.2.1.239/32 10.1.1.225/32 any -P out ipsec
esp/transport/10.2.1.239-10.1.1.225/require ;
spdadd 10.1.1.225/32 10.2.1.239/32 any -P in ipsec
esp/transport/10.1.1.225-10.2.1.239/require ;
-------
dmesg output:
ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0
ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0
ipfw: 260 Accept ICMP:8.0 10.2.1.239 10.1.1.225 out via fxp0
ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0
ipfw: 260 Accept ICMP:8.0 10.2.1.239 10.1.1.225 out via fxp0
ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0
ipfw: 260 Accept ICMP:8.0 10.2.1.239 10.1.1.225 out via fxp0
ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0
>
> Kris
>
Regards,
Andrey.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010252156300.8833-100000>