Date: Wed, 27 Nov 2002 21:00:54 +0100 From: Borja Marcos <borjamar@sarenet.es> To: freebsd-stable@freebsd.org Subject: New ipfw+IPSEC behavior Message-ID: <200211272100.54796.borjamar@sarenet.es>
next in thread | raw e-mail | index | archive | help
Hello, I have just upgraded from RELENG_4_7 to -STABLE and found a behavior change between IPSec and IPFW. The previous system did not apply IPFW rules to packets after being extracted from a tunnel, and it seems that this behavior has changed. I know that tunnels had a problem: you could not filter anything coming through the tunnel, but that behavior had some advantages. Perhaps a compromise would be great. In my case, I am using IPsec in a wireless network. Now I have two machines, with one in hostap mode. The ipfw rules are configured like this: add 200 allow udp from 192.168.2.0/24 500 to me 500 via wi0 add 210 allow udp from me 500 to 192.168.2.0/24 500 via wi add 300 allow esp from 192.168.2.0/24 to me via wi0 add 310 allow esp from me to 192.168.2.0/24 via wi0 add 400 deny log all from any to any via wi0 This may seem odd, but it is very effective. It completely blocks traffic from the wi interface unless it is IKE traffic or ESP. The advantages? 1 - A wardriver cannot "touch" your machine unless he/she can succesfully set up a tunnel, guessing the IKE pre-shared key or exploiting a vulnerability in racoon. 2 - You are protected from configuration errors. If, for whatever reason, unencrypted traffic "tries" to leave of reach the interface, it will not pass. Moreover, you can see it in the system log. Any ideas? It would be great to keep this behavior. Perhaps as an option? Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211272100.54796.borjamar>