Date: Mon, 19 Feb 2001 17:35:39 -0500 From: Chris Johnson <cjohnson@palomine.net> To: security@freebsd.org Subject: Firewall rules with natd and IPSEC VPN Message-ID: <20010219173539.A75521@palomine.net>
next in thread | raw e-mail | index | archive | help
--vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I followed the how-to at http://www.mutex.org/aaron/tips/ipsec and set up an encrypted VPN between two RFC 1918 networks. Each has a FreeBSD 4.2 box running natd, with a private interface and a public interface. The private network on one end is 192.168.11.0/24, and on the other end is 192.168.5.0/24. It mostly works as I'd hoped, but I'm a little hazy on what firewall rules need to be in place. Before I implemented the VPN, I had: add divert 8668 ip from any to any via dc0 [a bunch of other stuff] I found that in order to make the VPN work, I had to change this to: ipfw add allow ip from 192.168.11.0/24 to 192.168.5.0/24 ipfw add allow ip from 192.168.5.0/24 to 192.168.11.0/24 add divert 8668 ip from any to any via dc0 [a bunch of other stuff] With the above rules, things seem to work. But the two rules I added before the divert rule make me a little nervous. Should they? Is there something more restrictive that will still work? My ipsec.conf file has the following: spdadd 192.168.5.0/24 192.168.11.0/24 any -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require; spdadd 192.168.11.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require; Does this protect me from someone spoofing a 192.168.5.0/24 address and getting something through my firewall, since any packet arriving from 192.168.5.0/24 will have the above security policy applied to it? (Obviously my understanding of this IPSEC stuff is a little vague; thanks for your patience.) Chris Johnson --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6kZ+6yeUEMvtGLWERAtmXAJ4ot0YMqJ9uMWBUj9LgRUmqbi1DIgCfa2lk v0UejH9C+jIeIlD1ewz+jgE= =tQ6k -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010219173539.A75521>