From owner-freebsd-security Wed Apr 11 8:25:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from be-well.ilk.org (lowellg.ne.mediaone.net [24.147.184.128]) by hub.freebsd.org (Postfix) with ESMTP id 26AE137B422 for ; Wed, 11 Apr 2001 08:25:33 -0700 (PDT) (envelope-from lowell@be-well.ilk.org) Received: (from lowell@localhost) by be-well.ilk.org (8.11.3/8.11.3) id f3BFPVf75799; Wed, 11 Apr 2001 11:25:31 -0400 (EDT) (envelope-from lowell) To: Rasputin , freebsd-security@freebsd.org Subject: Re: Interaction between ipfw, IPSEC and natd References: <20010410181407.A1011@linnet.org> <20010411100036.B63302@dogma.freebsd-uk.eu.org> From: Lowell Gilbert Date: 11 Apr 2001 11:25:31 -0400 In-Reply-To: rara.rasputin@virgin.net's message of "11 Apr 2001 11:00:50 +0200" Message-ID: <44bsq331ck.fsf@lowellg.ne.mediaone.net> Lines: 24 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org rara.rasputin@virgin.net (Rasputin) writes: > Does anybody know if ipfilter has similar problems with IPSec? Some forms of IPSEC have fundamental problems with packet rewriting, which means that NAT is extremely hard to use in an IPSEC environment. Notably, end-to-end IPSEC modes are broken, although router-based tunnels can be a problem depending on whether the NAT rewriting occurs before or after the IPSEC headers are applied. Even without NAT, though, firewalls are a little tricky to configure for IPSEC packets. This is because the firewall can't see the protocol ports (or even the protocol, for that matter) in the packet, so you have to make pass/drop decisions for IPSEC packets without that information. Both ipfilter and ipfw have some ability to deal with IP options, but it's a little limited in both cases and I'm too far out of my depth to speculate on what the right approach to firewalling IPSEC would be. Be well. Lowell Gilbert -- Everybody is ignorant, only on different subjects. -- Will Rogers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message