Date: Sun, 29 Apr 2001 08:41:12 -0700 From: "Jacob S. Barrett" <jsbarrett@acm.org> To: freebsd-ipfw@freebsd.org Subject: IPFW with IPSEC and odd rule matching Message-ID: <3AEC3618.8000605@acm.org>
next in thread | raw e-mail | index | archive | help
I am having a few problems with my firewall rules and ipsec tunnel. Here are my rules as they are now (well only the rules that apply to my proble). lnc0 = internal interface 10.0.0.0/16 ed0 = external interface 206.124.145.0/24 gif0 = ipsec tunnel 10.2.0.0/16 # standard anti-spoofing 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 10.0.0.0/16 to any in recv ed0 00400 deny ip from 206.124.145.0/24 to any in recv lnc0 ... # ipsec tunnel *** 00800 allow esp from 206.124.145.161 to 24.10.38.31 via ed0 00900 allow esp from 24.10.38.31 to 206.124.145.161 via ed0 01000 allow ip from 10.0.0.0/16 to 10.2.0.0/16 via gif0 01100 allow ip from 10.2.0.0/16 to 10.0.0.0/16 via ed0 # blocking private address from outside 01200 deny ip from any to 10.0.0.0/8 via ed0 01300 deny ip from any to 172.16.0.0/12 via ed0 01400 deny ip from any to 192.168.0.0/16 via ed0 ... # nat 02000 divert 8668 ip from any to any via ed0 # blocking private from inside 02100 deny ip from 10.0.0.0/8 to any via ed0 02200 deny ip from 172.16.0.0/12 to any via ed0 02300 deny ip from 192.168.0.0/16 to any via ed0 ... # allowing established 02900 allow tcp from any to any established 03000 allow ip from any to any frag ... # log attemped setups from outside. 05800 deny log logamount 100 tcp from any to any in recv ed0 setup # allow setups from inside. 05900 allow tcp from any to any setup # allow all internal 06000 allow ip from any to any via lnc0 # stop everything else 65535 deny ip from any to any All of this works right now with a few minor problems. The first oddity is that rule 1100 does not work if I specify "via gif0". If I do that then rule 1200 blocks all inbound because nothing matches 1100. That seems odd to me since the packets should be arriving on ed0 encapsulated in and ESP packet which matches 900. Then it should be decoded and come in on gif0. Am I mistaken? Does it really consider the decoded packet to have entered on ed0? The second oddity is that rule 800 never matches. It seems to me that the outbound ESP packets should have to match that rule to get out. I am not sure what other rule they would be matching to exit. When I use the Java application I whipped up to monitor the ipfw tables it doesn't indicate an obvious rule that is matching these packets. The only rules that are actively matching are 900, 1000, and 1100. Is there anything wrong with the way I have this all configured? I would appriciate any help you all have to offer. Thanks, Jake -- Jacob S. Barrett jsbarrett@acm.org www.amduat.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AEC3618.8000605>