Date: Wed, 11 Apr 2001 16:59:23 +0100 From: Rasputin <rara.rasputin@virgin.net> To: freebsd-security@freebsd.org Cc: lowell@world.std.com Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <20010411165923.A70350@dogma.freebsd-uk.eu.org> In-Reply-To: <44bsq331ck.fsf@lowellg.ne.mediaone.net>; from lowell@world.std.com on Wed, Apr 11, 2001 at 11:25:31AM -0400 References: <20010410181407.A1011@linnet.org> <20010411100036.B63302@dogma.freebsd-uk.eu.org> <44bsq331ck.fsf@lowellg.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
* Lowell Gilbert <lowell@world.std.com> [010411 16:29]: > rara.rasputin@virgin.net (Rasputin) writes: > > Does anybody know if ipfilter has similar problems with IPSec? > Some forms of IPSEC have fundamental problems with packet rewriting, > which means that NAT is extremely hard to use in an IPSEC environment. > Notably, end-to-end IPSEC modes are broken, although router-based > tunnels can be a problem depending on whether the NAT rewriting occurs > before or after the IPSEC headers are applied. Sorry, should have made it clearer. I'm not running a VPN or anything, I just need to secure a wireless network. So I need transport mode IPSec on top of IPv4 from iBook clients to the BSD gateway/firewall. NAT would take place *after* the packets reach the gateway, on the outbound interface. Cheers anyway, I'm an ipf fan so I'll grit my teeth through that. > Even without NAT, though, firewalls are a little tricky to configure > for IPSEC packets. This is because the firewall can't see the > protocol ports (or even the protocol, for that matter) in the packet, > so you have to make pass/drop decisions for IPSEC packets without that > information. > Everybody is ignorant, only on different subjects. > -- Will Rogers Amen to that :) -- "No problem is so formidable that you can't just walk away from it." Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010411165923.A70350>