From owner-freebsd-questions Fri May 4 16:37: 4 2001 Delivered-To: freebsd-questions@freebsd.org Received: from wattres.Watt.COM (wattres.watt.com [205.178.120.6]) by hub.freebsd.org (Postfix) with ESMTP id BB0E337B422 for ; Fri, 4 May 2001 16:37:01 -0700 (PDT) (envelope-from steve@Watt.COM) Received: (from steve@localhost) by wattres.Watt.COM (8.11.3/8.11.3) id f44Nb1k98320; Fri, 4 May 2001 16:37:01 -0700 (PDT) (envelope-from steve) Message-Id: <200105042337.f44Nb1k98320@wattres.Watt.COM> X-Newsgroups: local.freebsd-questions In-Reply-To: <989018541-m2n-gw@Watt.COM> Organization: Watt Consultants, San Jose, CA, USA From: steve@Watt.COM (Steve Watt) Date: Fri, 4 May 2001 16:37:01 -0700 X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: questions@freebsd.org Subject: Re: ipsec/ipfw combination insecure? Cc: flemming@froekjaer.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG flemming@froekjaer@org wrote: >When using ipsec to set up a VPN, address translation is taking place >before ipfw gets the packets. This means that ipfw sees the packets from >the remote RFC1918 network as coming from the external network >interface, and thus one is forced to bore a gaping hole for incoming >traffic in that IP range for the VPN to work. As far as I know, hackers >can easily spoof their IP, so it will look like their packets are coming >from that very same IP range. Am I too paranoid here, or is there really >a security problem with this? If there is, what can be done about it? If >there isn't, why not? It certainly appears insecure to me, as well. I fixed it by adding RFC1918 filters to the router outside my FreeBSD box, but that seems distasteful. Unfortunately, architecting a fix seems difficult; I would guess that the ingress side would have to be trained such that if the source address was one that could come in via an IPsec tunnel, it should be dropped. Except that the drop needs to happen before IPsec processing, and IPsec processing simply returns the incoming packet to the interface queue. I think the best choice would be to force the post-IPsec packets to appear as if they came from a different interface. It's an ugly problem. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message