From owner-freebsd-security@FreeBSD.ORG Wed May 7 02:27:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58A9837B401 for ; Wed, 7 May 2003 02:27:48 -0700 (PDT) Received: from mail.dannysplace.net (allxs.xs4all.nl [194.109.223.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5649E43FDD for ; Wed, 7 May 2003 02:27:47 -0700 (PDT) (envelope-from fbsd@dannysplace.net) Received: from [192.168.1.3] (helo=localhost) by mail.dannysplace.net with esmtp (Exim 4.12) id 19DLDD-000IG7-00; Wed, 07 May 2003 11:27:43 +0200 Received: from pr2.ing.nl (pr2.ing.nl [145.221.92.41]) by www.dannysplace.com (Horde) with HTTP for ; Wed, 7 May 2003 11:27:43 +0200 Message-ID: <1052299663.086db7b178457@www.dannysplace.com> Date: Wed, 7 May 2003 11:27:43 +0200 From: Danny Carroll To: Peter Pentchev References: <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> <20030501104614.A29056@chaos.obstruction.com> <1052214194.d45fa9082ef35@www.dannysplace.com> <20030506092623.I56271@cithaeron.argolis.org> <1052258867.b640e23b86613@www.dannysplace.com> <20030507055036.GA665@straylight.oblivion.bg> In-Reply-To: <20030507055036.GA665@straylight.oblivion.bg> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19DLDD-000IG7-00*Sr3GoAHLFuE* cc: "freebsd-security@freebsd.org" Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 09:27:48 -0000 Quoting Peter Pentchev : > You have a very good point here, if by 'IP and UDP' you actually meant > to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, > UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or > ESP packet is an IP packet at the same time. If you meant to say that > most firewalls only allow TCP and UDP packets, then this is absolutely > true: a firewall that only allows TCP and UDP, then denies all the rest > of IP traffic without special provisions for ICMP or ESP, would > certainly not let any IPsec traffic through. You see:, I knew I was writing that the wrong way round... Of course I meant tcp and udp. > Come to think of it, a firewall that only allows TCP and UDP traffic > and then denies any other IP traffic, including ICMP, is doing a great > disservice to both itself, its internal network, and the Internet at > large. This has been said many, many times in many forums, but still: > some ICMP messages are not only beneficial, they are essential for > the correct operation of the network. Firewalling all ICMP traffic > is a very bad idea. Agreed! To those that want my rules... I will post them tonight, when I can make sure that they are actually working. From memory I was adding a "allow esp" rule temporarilly when I needed vpn support. -D