From owner-freebsd-security Wed Apr 11 8:59:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id 160ED37B422 for ; Wed, 11 Apr 2001 08:59:25 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14nN1g-000B7J-00; Wed, 11 Apr 2001 16:59:24 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3BFxNj70562; Wed, 11 Apr 2001 16:59:23 +0100 (BST) (envelope-from rasputin) Date: Wed, 11 Apr 2001 16:59:23 +0100 From: Rasputin To: freebsd-security@freebsd.org Cc: lowell@world.std.com Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <20010411165923.A70350@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <20010410181407.A1011@linnet.org> <20010411100036.B63302@dogma.freebsd-uk.eu.org> <44bsq331ck.fsf@lowellg.ne.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <44bsq331ck.fsf@lowellg.ne.mediaone.net>; from lowell@world.std.com on Wed, Apr 11, 2001 at 11:25:31AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Lowell Gilbert [010411 16:29]: > rara.rasputin@virgin.net (Rasputin) writes: > > Does anybody know if ipfilter has similar problems with IPSec? > Some forms of IPSEC have fundamental problems with packet rewriting, > which means that NAT is extremely hard to use in an IPSEC environment. > Notably, end-to-end IPSEC modes are broken, although router-based > tunnels can be a problem depending on whether the NAT rewriting occurs > before or after the IPSEC headers are applied. Sorry, should have made it clearer. I'm not running a VPN or anything, I just need to secure a wireless network. So I need transport mode IPSec on top of IPv4 from iBook clients to the BSD gateway/firewall. NAT would take place *after* the packets reach the gateway, on the outbound interface. Cheers anyway, I'm an ipf fan so I'll grit my teeth through that. > Even without NAT, though, firewalls are a little tricky to configure > for IPSEC packets. This is because the firewall can't see the > protocol ports (or even the protocol, for that matter) in the packet, > so you have to make pass/drop decisions for IPSEC packets without that > information. > Everybody is ignorant, only on different subjects. > -- Will Rogers Amen to that :) -- "No problem is so formidable that you can't just walk away from it." Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message