From owner-freebsd-questions  Fri May  4 20:32: 2 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id 48A6B37B422
	for <questions@FreeBSD.ORG>; Fri,  4 May 2001 20:32:00 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f454gnt23795;
	Fri, 4 May 2001 23:42:50 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Fri, 4 May 2001 23:42:49 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: =?X-UNKNOWN?Q?=3D=3Fiso-8859-1=3FQ=3FFlemming=5FFr=F8kj=E6r=3F=3D?= <flemming@froekjaer.org>
Cc: questions@FreeBSD.ORG
Subject: Re: ipsec/ipfw combination insecure?
In-Reply-To: <3174.63.105.19.225.989018470.squirrel@sleipner.eiffel.dk>
Message-ID: <Pine.BSF.4.21.0105042333220.23729-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 4 May 2001, =3D?iso-8859-1?Q?Flemming_Fr=F8kj=E6r?=3D wrote:

> When using ipsec to set up a VPN, address translation is taking place
> before ipfw gets the packets. This means that ipfw sees the packets from
> the remote RFC1918 network as coming from the external network
> interface, and thus one is forced to bore a gaping hole for incoming
> traffic in that IP range for the VPN to work.=20

As far as I know, hackers
> can easily spoof their IP, so it will look like their packets are coming
> from that very same IP range. Am I too paranoid here, or is there really
> a security problem with this?=20

=09Well, On a local network, yes, spoofing is easy.  Coming in from
=09the internet *may* be a different story.  If everyone were to run
=09packet filters on their borders to prevent spoofing this would
=09never be a problem.  Unfortunetly, this does not always
=09happen...so, yes, being concerned is a smart thing.


If there is, what can be done about it?

=09Possibly running tunnels between your machine and the other
=09network.  Then add crypto on top of that.  Makes things a tad more
=09difficult to break.

Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
  "FreeBSD: The Power to Serve!"



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message