Date: Tue, 10 Apr 2001 18:14:07 +0100 From: Brian Candler <B.Candler@pobox.com> To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Interaction between ipfw, IPSEC and natd Message-ID: <20010410181407.A1011@linnet.org>
next in thread | raw e-mail | index | archive | help
Is there any documentation on how ipfw, natd and IPSEC interact with each
other? In particular,
- what is the order of processing of inbound and outbound packets?
- when packets are re-injected by natd, where in the whole system are they
re-injected?
- do packets reinjected by natd still match 'in via <interface>' or
'out via <interface>'? (OK, I could determine this one experimentally,
but I'd still like to see it documented :-)
I see that by default FreeBSD puts its natd divert rule right at the very
top of the ruleset, but I have found that this stops IPSEC processing
working. I can make it work by putting natd lower down: e.g.
add 01000 permit ip from 10.0.0.0/8 to 10.0.0.0/8 # private addrs
add 02000 divert 8668 ip from any to any via xl0 # external i/face
Here, subnets of 10.0.0.0/8 are behind the 'private' interface and also the
remote endpoints of IPSEC tunnels; there are IPSEC SA's which define them
exactly. However in this case I find it difficult to add anti-spoofing rules
on external interfaces without breaking either IPSEC or NAT.
Note that even in the presence of IPSEC, anti-spoofing rules _are_ still
required. For example, I have an SA which says
spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any
-P out none;
spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any
-P in none;
(where 10.0.1.0/24 is the locally-attached subnet and other downstream
subnets are within the /20). This is in order to allow local, non-encrypted
traffic to be routed via this box. However the presence of this SA means
that I really need an anti-spoofing filter on the public interface to
prevent packets matching this null SA being injected from outside.
In the end, I want to build a firewall with:
- antispoofing on all interfaces
- various IPSEC tunnels to distant subnets of private network
- natd for sessions going out of "public" interface
- the ability to add other ipfw policy controls
and not only should it work, but I should also have some confidence that it
is actually secure and doing what I intend - which means I really need to
understand how all these bits fit together :-)
Thanks,
Brian.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010410181407.A1011>