Skip site navigation (1)Skip section navigation (2) 
Date:      Wed,  7 May 2003 11:27:43 +0200
From:      Danny Carroll <fbsd@dannysplace.net>
To:        Peter Pentchev <roam@ringlet.net>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: how to configure a FreeBSD firewall to pass IPSec?
Message-ID:  <1052299663.086db7b178457@www.dannysplace.com>
In-Reply-To: <20030507055036.GA665@straylight.oblivion.bg>
References:  <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> <20030501104614.A29056@chaos.obstruction.com> <1052214194.d45fa9082ef35@www.dannysplace.com> <20030506092623.I56271@cithaeron.argolis.org> <1052258867.b640e23b86613@www.dannysplace.com> <20030507055036.GA665@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help 
Quoting Peter Pentchev <roam@ringlet.net>:
> You have a very good point here, if by 'IP and UDP' you actually meant
> to say 'TCP and UDP', and 'ESP is a different protocol from TCP'.  TCP,
> UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or
> ESP packet is an IP packet at the same time.  If you meant to say that
> most firewalls only allow TCP and UDP packets, then this is absolutely
> true: a firewall that only allows TCP and UDP, then denies all the rest
> of IP traffic without special provisions for ICMP or ESP, would
> certainly not let any IPsec traffic through.

You see:, I knew I was writing that the wrong way round...  Of course I meant
tcp and udp.

> Come to think of it, a firewall that only allows TCP and UDP traffic
> and then denies any other IP traffic, including ICMP, is doing a great
> disservice to both itself, its internal network, and the Internet at
> large.  This has been said many, many times in many forums, but still:
> some ICMP messages are not only beneficial, they are essential for
> the correct operation of the network.  Firewalling all ICMP traffic
> is a very bad idea.

Agreed!

To those that want my rules...  I will post them tonight, when I can make sure
that they are actually working.  From memory I was adding a "allow esp" rule
temporarilly when I needed vpn support.
-D

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1052299663.086db7b178457>