Date: Wed, 7 May 2003 21:33:45 +0200 From: "Danny Carroll" <fbsd@dannysplace.net> To: "Peter Pentchev" <roam@ringlet.net> Cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? Message-ID: <003101c314cf$930ceef0$e464a8c0@llama> References: <20030430190040.A78C937B407@hub.freebsd.org><1051788543.641.31.camel@thoreau.sohotech.ca><20030501104614.A29056@chaos.obstruction.com><1052214194.d45fa9082ef35@www.dannysplace.com><20030506092623.I56271@cithaeron.argolis.org><1052258867.b640e23b86613@www.dannysplace.com><20030507055036.GA665@straylight.oblivion.bg> <1052299663.086db7b178457@www.dannysplace.com>
next in thread | previous in thread | raw e-mail | index | archive | help
As promised, my ruleset that works.. I've removed the lines that are important for me to keep a secret... But they are only things like ftp... My Natd.conf only has some port redirects for web/ftp etc... p.s. Sorry for the top-post... allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any # Spoof protection. deny log logamount 500 ip from 192.168.50.0/24 to any in recv xl0 deny log logamount 500 ip from any to 10.0.0.0/8 via xl0 deny log logamount 500 ip from any to 172.16.0.0/12 via xl0 deny log logamount 500 ip from any to 192.168.0.0/24 via xl0 deny log logamount 500 ip from 0.0.0.0/8 to any via xl0 deny log logamount 500 ip from 169.254.0.0/16 to any via xl0 deny log logamount 500 ip from 192.0.2.0/24 to any via xl0 deny log logamount 500 ip from 224.0.0.0/4 to any via xl0 deny log logamount 500 ip from 240.0.0.0/4 to any via xl0 #Disallow smb/nmb deny log logamount 500 tcp from any to any 137-139 via xl0 deny log logamount 500 tcp from any 137-139 to any via xl0 deny log logamount 500 udp from any to any 137-139 via xl0 deny log logamount 500 udp from any 137-139 to any via xl0 # Now divert, and setup my pipes... (These are so my web/ftp server leaves me some bandwidth) pipe 1 ip from 192.168.10.0/24 to any out xmit xl0 divert 8668 ip from any to any via xl0 pipe 2 ip from any to 192.168.10.0/24 in recv xl0 allow tcp from any to any established allow tcp from any to any 25 setup allow tcp from any to any 21 setup allow tcp from any to any 80 setup allow tcp from any to any 443 setup allow udp from 192.168.50.0/24 to any keep-state allow tcp from 192.168.50.0/24 to any setup deny log logamount 500 tcp from any to any in recv xl0 setup allow icmp from any to any deny log logamount 500 ip from any to any 65535 deny ip from any to any ----- Original Message ----- From: "Danny Carroll" <fbsd@dannysplace.net> To: "Peter Pentchev" <roam@ringlet.net> Cc: <freebsd-security@freebsd.org> Sent: Wednesday, May 07, 2003 11:27 AM Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > Quoting Peter Pentchev <roam@ringlet.net>: > > You have a very good point here, if by 'IP and UDP' you actually meant > > to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, > > UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or > > ESP packet is an IP packet at the same time. If you meant to say that > > most firewalls only allow TCP and UDP packets, then this is absolutely > > true: a firewall that only allows TCP and UDP, then denies all the rest > > of IP traffic without special provisions for ICMP or ESP, would > > certainly not let any IPsec traffic through. > > You see:, I knew I was writing that the wrong way round... Of course I meant > tcp and udp. > > > Come to think of it, a firewall that only allows TCP and UDP traffic > > and then denies any other IP traffic, including ICMP, is doing a great > > disservice to both itself, its internal network, and the Internet at > > large. This has been said many, many times in many forums, but still: > > some ICMP messages are not only beneficial, they are essential for > > the correct operation of the network. Firewalling all ICMP traffic > > is a very bad idea. > > Agreed! > > To those that want my rules... I will post them tonight, when I can make sure > that they are actually working. From memory I was adding a "allow esp" rule > temporarilly when I needed vpn support. > -D > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003101c314cf$930ceef0$e464a8c0>