Date: Wed, 8 Nov 2006 08:20:27 +0100 From: giannidoe@mac.com To: freebsd-questions@freebsd.org Subject: IPsec and ipf processing with IPSEC_FILTERGIF Message-ID: <1E4A6B6F-5207-4EB4-BF17-12E155152790@mac.com>
next in thread | raw e-mail | index | archive | help
I'm running IPsec in tunnel mode with the setup on host W.Z.Y.Z as:
spdadd 192.168.0.0/24 192.168.200.0/24 any -P out ipsec
esp/tunnel/W.Z.Y.Z-A.B.C.D/unique;
spdadd 192.168.200.0/24 192.168.0.0/24 any -P in ipsec
esp/tunnel/A.B.C.D-W.Z.Y.Z/unique;
Up until yesterday this was working fine with IPSEC_FILTERGIF option
activated in the kernel and the ipfilter rules as listed below (fxp0
is the internet facing nic).
The only changes I made were to install OpenVPN and add an ipf rule
to allow in udp packets on port 1194 - things that shouldn't have had
any effect on the IPsec tunnel afaik. After flushing and reloading
the ipf rules my IPsec tunnel stopped working and on investigation it
proved to be the following rule blocking the decrypted packets coming
in on the internet interface.
@9 block in log first quick on fxp0 from 192.168.0.0/16 to any
I haven't rebuilt the kernel or world for a few weeks so I'm at a
complete loss to explain how this was working before and then stopped
working..... yes the ipf rules were in place before...... anyway I
don't expect much help here without some hard evidence.
I have now rebuild kernel and world to FreeBSD 6.2-PRERELEASE #8 and
behaviour remains.
What I would appreciate is some clarification and advice on how IPsec
and ipfilter should interact when the IPSEC_FILTERGIF option is set.
I've found various clues around the net but most of them out-of-date
and it seems this has been an actively changing subject.
I suppose the crux of the matter is:
* Is it correct that with IPSEC_FILTERGIF the decrypted packets are
fed back in to the *outside* interface?
* If I have to set rules to allow 192.168.0.0/24 in on my internet
interface won't this then be at risk from spoofing?
@1 pass in quick on fxp1 all
@2 pass in quick on fxp0 proto udp from any to any port = isakmp keep
state
@3 pass in quick on fxp0 proto esp from any to any
@4 pass in quick on fxp0 proto ipencap from any to any
@5 pass in quick on lo0 all
@6 pass in quick on fxp0 proto udp from any to any port = domain keep
state
@7 pass in quick on fxp0 proto tcp from any to any port = domain
flags S/FSRPAU keep state keep frags
@9 block in log first quick on fxp0 from 192.168.0.0/16 to any
@10 block in quick on fxp0 from 172.16.0.0/12 to any
@11 block in quick on fxp0 from 10.0.0.0/8 to any
@12 block in quick on fxp0 from 127.0.0.0/8 to any
@13 block in quick on fxp0 from 0.0.0.0/8 to any
@14 block in quick on fxp0 from 169.254.0.0/16 to any
@15 block in quick on fxp0 from 192.0.2.0/24 to any
@16 block in quick on fxp0 from 204.152.64.0/23 to any
@17 block in quick on fxp0 from 224.0.0.0/3 to any
@18 block in quick on fxp0 proto tcp from any to any with short
@19 block in quick on fxp0 from any to any with opt lsrr
@20 block in quick on fxp0 from any to any with opt ssrr
@21 block in log first quick on fxp0 proto tcp from any to any flags
FPU/FSRPAU
@22 block in quick on fxp0 from any to any with ipopts
@23 pass in quick on fxp0 proto icmp from x.x.x.x/32 to any icmp-type
echo keep state
@24 pass in quick on fxp0 proto icmp from any to any icmp-type
unreach keep state
@25 block in quick on fxp0 proto icmp from any to any icmp-type echo
@26 block in quick on fxp0 proto tcp from any to any port = auth
@27 block in log first quick on fxp0 proto tcp/udp from any to any
port = netbios-ns
@28 block in log first quick on fxp0 proto tcp/udp from any to any
port = netbios-dgm
@29 block in log first quick on fxp0 proto tcp/udp from any to any
port = netbios-ssn
@30 block in log first quick on fxp0 proto tcp/udp from any to any
port = hosts2-ns
@31 pass in quick on fxp0 proto tcp from any to any port = ssh flags
S/FSRPAU keep state keep frags
@32 block in log first quick on fxp0 all
Thanks
Gianni
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1E4A6B6F-5207-4EB4-BF17-12E155152790>