Date: Wed, 27 Nov 2002 21:00:54 +0100 From: Borja Marcos <borjamar@sarenet.es> To: freebsd-stable@freebsd.org Subject: New ipfw+IPSEC behavior Message-ID: <200211272100.54796.borjamar@sarenet.es>
next in thread | raw e-mail | index | archive | help
=09Hello, =09I have just upgraded from RELENG_4_7 to -STABLE and found a behavior c= hange=20 between IPSec and IPFW. =09The previous system did not apply IPFW rules to packets after being ex= tracted=20 from a tunnel, and it seems that this behavior has changed. =09I know that tunnels had a problem: you could not filter anything comin= g=20 through the tunnel, but that behavior had some advantages. Perhaps a=20 compromise would be great. =09In my case, I am using IPsec in a wireless network. Now I have two mac= hines,=20 with one in hostap mode. The ipfw rules are configured like this: add 200 allow udp from 192.168.2.0/24 500 to me 500 via wi0 add 210 allow udp from me 500 to 192.168.2.0/24 500 via wi add 300 allow esp from 192.168.2.0/24 to me via wi0 add 310 allow esp from me to 192.168.2.0/24 via wi0 add 400 deny log all from any to any via wi0 =09This may seem odd, but it is very effective. It completely blocks traf= fic=20 from the wi interface unless it is IKE traffic or ESP. The advantages? =091 - A wardriver cannot "touch" your machine unless he/she can succesfu= lly set=20 up a tunnel, guessing the IKE pre-shared key or exploiting a vulnerabilit= y in=20 racoon. =092 - You are protected from configuration errors. If, for whatever reas= on,=20 unencrypted traffic "tries" to leave of reach the interface, it will not=20 pass. Moreover, you can see it in the system log. =09Any ideas? It would be great to keep this behavior. Perhaps as an opti= on? =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211272100.54796.borjamar>