Date: Tue, 21 Jan 2003 11:02:44 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: Pekka Nikander <pekka.nikander@nomadiclab.com> Cc: Mike Durian <durian@boogie.com>, freebsd-net@freebsd.org Subject: Re: Question about IPsec and double ipfilter processing Message-ID: <20030121190244.GE6871@blossom.cjclark.org> In-Reply-To: <3E2D482C.9030700@nomadiclab.com> References: <200301201731.49942.durian@boogie.com> <20030121063451.GB37009@blossom.cjclark.org> <3E2D482C.9030700@nomadiclab.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 21, 2003 at 03:16:28PM +0200, Pekka Nikander wrote:
> Crist,
>
> Crist J. Clark wrote:
> >I don't see this. I have one rule on my external interface,
> >
> > block in log quick on de0 all head 2000
> > ...
> > pass in quick proto esp from any to 12.234.89.252/32
> > group 2000
> >
> >That allows in ESP traffic from any host. No other rules are required
> >on this interface for the IPsec tunnel to work.
> >
> >Obviously, I need a rule on the internal interface to let the
> >unecrypted traffic pass this interface. But since all of the
> >interesting filtering of traffic from the outside world happens on the
> >external interface,
> >
> > pass out quick on fxp0 all
> >
>
> I don't quite understand. Firstly, are you saying that you
> *only* accept IPsec and nothing else from your external
> interface? That is not the case with Mike or me; at least I
> need to use my external interface for generic Internet traffic,
> too, so I can't block all other traffic.
I do accept some other very limited incoming traffic. Here's the full
list for the external interface if it helps,
# External in
block in log quick on PUB_IF all head 2000
# Nothing funny coming in
block in log quick all with ipopts group 2000
block in log quick all with short group 2000
block in log quick from PRIV_NET to any group 2000
# Allow SSH
pass in log first quick proto tcp from OFFICE to BLOSSOM port = ssh flags S keep state group 2000
# Allow DHCP
pass in quick proto udp from any port = 67 to any port = 68 group 2000
# Allow IKE and ESP
pass in log quick proto udp from any to PUB_IP port = 500 group 2000
pass in quick proto esp from any to PUB_IP group 2000
All I let in is ssh, 22/tcp, from a single external host, DHCP,
68/udp, and stuff for IPsec, 500/udp and ESP.
> Secondly, are you using ipfw2? I thought it was only available
> in -CURRENT or 5.0, not in 4.7-STABLE? Or am I wrong?
I'm using IPFilter not ipfw[12]. But good news, you are wrong, ipfw2
is available in RELENG_4.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121190244.GE6871>