From owner-freebsd-security@FreeBSD.ORG  Tue May  6 02:43:20 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9E95B37B401
	for <freebsd-security@freebsd.org>;
	Tue,  6 May 2003 02:43:20 -0700 (PDT)
Received: from mail.dannysplace.net (allxs.xs4all.nl [194.109.223.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6FA9543F85
	for <freebsd-security@freebsd.org>;
	Tue,  6 May 2003 02:43:19 -0700 (PDT)
	(envelope-from fbsd@dannysplace.net)
Received: from [192.168.1.3] (helo=localhost)
	by mail.dannysplace.net with esmtp (Exim 4.12)
	id 19Cyyh-000EkB-00; Tue, 06 May 2003 11:43:15 +0200
Received: from pr2.ing.nl (pr2.ing.nl [145.221.92.41]) by
	www.dannysplace.com (Horde) with HTTP for <danny@dannysplace.net>;
	Tue,  6	May 2003 11:43:14 +0200
Message-ID: <1052214194.d45fa9082ef35@www.dannysplace.com>
Date: Tue,  6 May 2003 11:43:14 +0200
From: Danny Carroll <fbsd@dannysplace.net>
To: Guy Middleton <guy@obstruction.com>
References: <20030430190040.A78C937B407@hub.freebsd.org>
	<1051788543.641.31.camel@thoreau.sohotech.ca>
	<20030501104614.A29056@chaos.obstruction.com>
In-Reply-To: <20030501104614.A29056@chaos.obstruction.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) 4.0-cvs
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/)
	*19Cyyh-000EkB-00*0ETTCwEmHSs*
cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject: Re: how to configure a FreeBSD firewall to pass IPSec?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2003 09:43:20 -0000

Quoting Guy Middleton <guy@obstruction.com>:
> Until now (and as recommended in the Handbook), I have been using ifpw
> and natd.  Everybody here who has IPSec client passthrough working seems
> to use ifw/ipnat.  Is ipf/ipnat more flexible? And why is there more than
> one firewalling scheme in FreeBSD?

FYI I have done this in ipfw/natd...  It's just as easy.  I think I only added
one rule to my firewall and nothing to my natd.conf

Now I can vpn from any machine on the internal lan to multiple vpn's.
If you want I can send you the ruleset.

ipfw and ipf are different.  I started with ipf but now I like ipfw a lot more
because I feel that it's more flexible (other do not).  I particularly like the
QOS stuff provided by dummynet so I think it would be hard for me to ever go
back.

-D