From owner-freebsd-security@FreeBSD.ORG Fri May 9 03:18:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1645937B404 for ; Fri, 9 May 2003 03:18:05 -0700 (PDT) Received: from mx1.dev.itouchnet.net (itouchlabs.com [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F12343F75 for ; Fri, 9 May 2003 03:18:02 -0700 (PDT) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 19E50e-000OWF-00 for freebsd-security@freebsd.org; Fri, 09 May 2003 12:21:48 +0200 X-TLS: TLSv1:RC4-MD5:128 itouchlabs.com -> mx1.dev.itouchnet.net Received: from itouchlabs.com ([196.15.188.2] helo=Beastie) by mx1.dev.itouchnet.net with esmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 19E50c-000OVo-00; Fri, 09 May 2003 12:21:46 +0200 Message-ID: <03b901c31614$06686dd0$4508a8c0@Beastie> From: "Barry Irwin" To: "Danny Carroll" , "Peter Pentchev" References: <20030430190040.A78C937B407@hub.freebsd.org><1051788543.641.31.camel@thoreau.sohotech.ca><20030501104614.A29056@chaos.obstruction.com><1052214194.d45fa9082ef35@www.dannysplace.com><20030506092623.I56271@cithaeron.argolis.org><1052258867.b640e23b86613@www.dannysplace.com><20030507055036.GA665@straylight.oblivion.bg><1052299663.086db7b178457@www.dannysplace.com> <003101c314cf$930ceef0$e464a8c0@llama> Date: Fri, 9 May 2003 12:16:15 +0200 Organization: iTouch Labs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 94249-1052475707-18230@unconfigured version $Name: REL_2_0_4 $ cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 10:18:05 -0000 You just need to allow esp and ah depending on what you are using. Also remember port 500 for IKE. Barry -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch Technology iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Danny Carroll" To: "Peter Pentchev" Cc: Sent: Wednesday, May 07, 2003 9:33 PM Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > As promised, my ruleset that works.. > I've removed the lines that are important for me to keep a secret... But > they are only things like ftp... > My Natd.conf only has some port redirects for web/ftp etc... > p.s. Sorry for the top-post... > > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > deny ip from 127.0.0.0/8 to any > > # Spoof protection. > deny log logamount 500 ip from 192.168.50.0/24 to any in recv xl0 > deny log logamount 500 ip from any to 10.0.0.0/8 via xl0 > deny log logamount 500 ip from any to 172.16.0.0/12 via xl0 > deny log logamount 500 ip from any to 192.168.0.0/24 via xl0 > deny log logamount 500 ip from 0.0.0.0/8 to any via xl0 > deny log logamount 500 ip from 169.254.0.0/16 to any via xl0 > deny log logamount 500 ip from 192.0.2.0/24 to any via xl0 > deny log logamount 500 ip from 224.0.0.0/4 to any via xl0 > deny log logamount 500 ip from 240.0.0.0/4 to any via xl0 > > #Disallow smb/nmb > deny log logamount 500 tcp from any to any 137-139 via xl0 > deny log logamount 500 tcp from any 137-139 to any via xl0 > deny log logamount 500 udp from any to any 137-139 via xl0 > deny log logamount 500 udp from any 137-139 to any via xl0 > > # Now divert, and setup my pipes... (These are so my web/ftp server leaves > me some bandwidth) > pipe 1 ip from 192.168.10.0/24 to any out xmit xl0 > divert 8668 ip from any to any via xl0 > pipe 2 ip from any to 192.168.10.0/24 in recv xl0 > > allow tcp from any to any established > allow tcp from any to any 25 setup > allow tcp from any to any 21 setup > allow tcp from any to any 80 setup > allow tcp from any to any 443 setup > allow udp from 192.168.50.0/24 to any keep-state > allow tcp from 192.168.50.0/24 to any setup > deny log logamount 500 tcp from any to any in recv xl0 setup > allow icmp from any to any > deny log logamount 500 ip from any to any > 65535 deny ip from any to any > > ----- Original Message ----- > From: "Danny Carroll" > To: "Peter Pentchev" > Cc: > Sent: Wednesday, May 07, 2003 11:27 AM > Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > > > > Quoting Peter Pentchev : > > > You have a very good point here, if by 'IP and UDP' you actually meant > > > to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, > > > UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or > > > ESP packet is an IP packet at the same time. If you meant to say that > > > most firewalls only allow TCP and UDP packets, then this is absolutely > > > true: a firewall that only allows TCP and UDP, then denies all the rest > > > of IP traffic without special provisions for ICMP or ESP, would > > > certainly not let any IPsec traffic through. > > > > You see:, I knew I was writing that the wrong way round... Of course I > meant > > tcp and udp. > > > > > Come to think of it, a firewall that only allows TCP and UDP traffic > > > and then denies any other IP traffic, including ICMP, is doing a great > > > disservice to both itself, its internal network, and the Internet at > > > large. This has been said many, many times in many forums, but still: > > > some ICMP messages are not only beneficial, they are essential for > > > the correct operation of the network. Firewalling all ICMP traffic > > > is a very bad idea. > > > > Agreed! > > > > To those that want my rules... I will post them tonight, when I can make > sure > > that they are actually working. From memory I was adding a "allow esp" > rule > > temporarilly when I needed vpn support. > > -D > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > >