From owner-freebsd-net Tue Jan 21 11: 2:49 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 532EC37B401 for ; Tue, 21 Jan 2003 11:02:47 -0800 (PST) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83E8E43E4A for ; Tue, 21 Jan 2003 11:02:46 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by sccrmhc02.attbi.com (sccrmhc02) with ESMTP id <2003012119024500200mmsk1e>; Tue, 21 Jan 2003 19:02:45 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h0LJ2ieq007304; Tue, 21 Jan 2003 11:02:44 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h0LJ2iJW007303; Tue, 21 Jan 2003 11:02:44 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 21 Jan 2003 11:02:44 -0800 From: "Crist J. Clark" To: Pekka Nikander Cc: Mike Durian , freebsd-net@freebsd.org Subject: Re: Question about IPsec and double ipfilter processing Message-ID: <20030121190244.GE6871@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200301201731.49942.durian@boogie.com> <20030121063451.GB37009@blossom.cjclark.org> <3E2D482C.9030700@nomadiclab.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E2D482C.9030700@nomadiclab.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 21, 2003 at 03:16:28PM +0200, Pekka Nikander wrote: > Crist, > > Crist J. Clark wrote: > >I don't see this. I have one rule on my external interface, > > > > block in log quick on de0 all head 2000 > > ... > > pass in quick proto esp from any to 12.234.89.252/32 > > group 2000 > > > >That allows in ESP traffic from any host. No other rules are required > >on this interface for the IPsec tunnel to work. > > > >Obviously, I need a rule on the internal interface to let the > >unecrypted traffic pass this interface. But since all of the > >interesting filtering of traffic from the outside world happens on the > >external interface, > > > > pass out quick on fxp0 all > > > > I don't quite understand. Firstly, are you saying that you > *only* accept IPsec and nothing else from your external > interface? That is not the case with Mike or me; at least I > need to use my external interface for generic Internet traffic, > too, so I can't block all other traffic. I do accept some other very limited incoming traffic. Here's the full list for the external interface if it helps, # External in block in log quick on PUB_IF all head 2000 # Nothing funny coming in block in log quick all with ipopts group 2000 block in log quick all with short group 2000 block in log quick from PRIV_NET to any group 2000 # Allow SSH pass in log first quick proto tcp from OFFICE to BLOSSOM port = ssh flags S keep state group 2000 # Allow DHCP pass in quick proto udp from any port = 67 to any port = 68 group 2000 # Allow IKE and ESP pass in log quick proto udp from any to PUB_IP port = 500 group 2000 pass in quick proto esp from any to PUB_IP group 2000 All I let in is ssh, 22/tcp, from a single external host, DHCP, 68/udp, and stuff for IPsec, 500/udp and ESP. > Secondly, are you using ipfw2? I thought it was only available > in -CURRENT or 5.0, not in 4.7-STABLE? Or am I wrong? I'm using IPFilter not ipfw[12]. But good news, you are wrong, ipfw2 is available in RELENG_4. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message