Date: Fri, 9 May 2003 12:16:15 +0200 From: "Barry Irwin" <bvi@itouchlabs.com> To: "Danny Carroll" <fbsd@dannysplace.net>, "Peter Pentchev" <roam@ringlet.net> Cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? Message-ID: <03b901c31614$06686dd0$4508a8c0@Beastie> References: <20030430190040.A78C937B407@hub.freebsd.org><1051788543.641.31.camel@thoreau.sohotech.ca><20030501104614.A29056@chaos.obstruction.com><1052214194.d45fa9082ef35@www.dannysplace.com><20030506092623.I56271@cithaeron.argolis.org><1052258867.b640e23b86613@www.dannysplace.com><20030507055036.GA665@straylight.oblivion.bg><1052299663.086db7b178457@www.dannysplace.com> <003101c314cf$930ceef0$e464a8c0@llama>
next in thread | previous in thread | raw e-mail | index | archive | help
You just need to allow esp and ah depending on what you are using. Also remember port 500 for IKE. Barry -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch Technology iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Danny Carroll" <fbsd@dannysplace.net> To: "Peter Pentchev" <roam@ringlet.net> Cc: <freebsd-security@freebsd.org> Sent: Wednesday, May 07, 2003 9:33 PM Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > As promised, my ruleset that works.. > I've removed the lines that are important for me to keep a secret... But > they are only things like ftp... > My Natd.conf only has some port redirects for web/ftp etc... > p.s. Sorry for the top-post... > > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > deny ip from 127.0.0.0/8 to any > > # Spoof protection. > deny log logamount 500 ip from 192.168.50.0/24 to any in recv xl0 > deny log logamount 500 ip from any to 10.0.0.0/8 via xl0 > deny log logamount 500 ip from any to 172.16.0.0/12 via xl0 > deny log logamount 500 ip from any to 192.168.0.0/24 via xl0 > deny log logamount 500 ip from 0.0.0.0/8 to any via xl0 > deny log logamount 500 ip from 169.254.0.0/16 to any via xl0 > deny log logamount 500 ip from 192.0.2.0/24 to any via xl0 > deny log logamount 500 ip from 224.0.0.0/4 to any via xl0 > deny log logamount 500 ip from 240.0.0.0/4 to any via xl0 > > #Disallow smb/nmb > deny log logamount 500 tcp from any to any 137-139 via xl0 > deny log logamount 500 tcp from any 137-139 to any via xl0 > deny log logamount 500 udp from any to any 137-139 via xl0 > deny log logamount 500 udp from any 137-139 to any via xl0 > > # Now divert, and setup my pipes... (These are so my web/ftp server leaves > me some bandwidth) > pipe 1 ip from 192.168.10.0/24 to any out xmit xl0 > divert 8668 ip from any to any via xl0 > pipe 2 ip from any to 192.168.10.0/24 in recv xl0 > > allow tcp from any to any established > allow tcp from any to any 25 setup > allow tcp from any to any 21 setup > allow tcp from any to any 80 setup > allow tcp from any to any 443 setup > allow udp from 192.168.50.0/24 to any keep-state > allow tcp from 192.168.50.0/24 to any setup > deny log logamount 500 tcp from any to any in recv xl0 setup > allow icmp from any to any > deny log logamount 500 ip from any to any > 65535 deny ip from any to any > > ----- Original Message ----- > From: "Danny Carroll" <fbsd@dannysplace.net> > To: "Peter Pentchev" <roam@ringlet.net> > Cc: <freebsd-security@freebsd.org> > Sent: Wednesday, May 07, 2003 11:27 AM > Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > > > > Quoting Peter Pentchev <roam@ringlet.net>: > > > You have a very good point here, if by 'IP and UDP' you actually meant > > > to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, > > > UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or > > > ESP packet is an IP packet at the same time. If you meant to say that > > > most firewalls only allow TCP and UDP packets, then this is absolutely > > > true: a firewall that only allows TCP and UDP, then denies all the rest > > > of IP traffic without special provisions for ICMP or ESP, would > > > certainly not let any IPsec traffic through. > > > > You see:, I knew I was writing that the wrong way round... Of course I > meant > > tcp and udp. > > > > > Come to think of it, a firewall that only allows TCP and UDP traffic > > > and then denies any other IP traffic, including ICMP, is doing a great > > > disservice to both itself, its internal network, and the Internet at > > > large. This has been said many, many times in many forums, but still: > > > some ICMP messages are not only beneficial, they are essential for > > > the correct operation of the network. Firewalling all ICMP traffic > > > is a very bad idea. > > > > Agreed! > > > > To those that want my rules... I will post them tonight, when I can make > sure > > that they are actually working. From memory I was adding a "allow esp" > rule > > temporarilly when I needed vpn support. > > -D > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03b901c31614$06686dd0$4508a8c0>