From owner-freebsd-net Mon Jan 14 7:28:38 2002 Delivered-To: freebsd-net@freebsd.org Received: from mail.netmodule.com (mail.netmodule.com [195.49.111.194]) by hub.freebsd.org (Postfix) with ESMTP id A8D6937B41D for ; Mon, 14 Jan 2002 07:28:33 -0800 (PST) Received: from tigris.pacific (tigris.pacific [172.16.1.30]) by mail.netmodule.com (8.9.3/8.9.3) with ESMTP id QAA10421; Mon, 14 Jan 2002 16:28:28 +0100 Received: by tigris.pacific with Internet Mail Service (5.5.2653.19) id <4WSSP906>; Mon, 14 Jan 2002 16:28:28 +0100 Message-ID: From: "Reto Trachsel (NetModule)" To: "'Alex Le Heux'" , Kshitij Gunjikar Cc: freebsd-net@FreeBSD.ORG Subject: RE: Filtering packets received through an ipsec tunnel Date: Mon, 14 Jan 2002 16:28:25 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all Ok, at this time I would handle this problem like this: Connect the two sides with an IPSec Tunnel and write an access-list with ipfw that allow only the specified traffic from the other side network to your network. This would be the fastest way to handle this problem. For this, you have to enable the Firewall Feature on FreeBSD and enter the rouls with the ipfw programm (/etc/rc.firewall or an other included Script.) The script could look like this: ipfw add allow tcp from 192.168.10.0/24 22 to 192.168.20.0/24 22 ipfw add allow tcp from 192.168.20.0/24 22 to 192.168.10.0/24 22 ipfw add deny ip from any to any This example permit all SSH Connections from the External to the Internal Network where the External Net: 192.168.10.0/24 and the Internal Net: 192.168.20.0/24. More Informations about the Firewall and its roules: man ipfw Regards Reto Trachsel Your Partner for Internet & Networking Technologies! ____________________________________________________ NetModule AG Meriedweg 7 / CH-3172 Niederwangen Phone: +41 31 985 25 10 / Fax: +41 31 985 25 11 www.netmodule.com NetModule AG, Java Competence Center Zuercherstrasse 12 / Postfach / CH-8401 Winterthur Phone: +41 52 209 00 44 / Fax: +41 52 209 00 40 ____________________________________________________ -----Original Message----- From: Alex Le Heux [mailto:alexlh@funk.org] Sent: Montag, 14. Januar 2002 15:09 To: Kshitij Gunjikar Cc: freebsd-net@FreeBSD.ORG Subject: Re: Filtering packets received through an ipsec tunnel ... I am worried about giving the network at the other end of the tunnel full access to mine. In only a few of the many possible IPSec implementations do both ends of the tunnel follow the same security policies. And even then I might want to use filtering. ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message