Date: Fri, 4 May 2001 23:42:49 -0500 (CDT) From: Nick Rogness <nick@rogness.net> To: =?X-UNKNOWN?Q?=3D=3Fiso-8859-1=3FQ=3FFlemming=5FFr=F8kj=E6r=3F=3D?= <flemming@froekjaer.org> Cc: questions@FreeBSD.ORG Subject: Re: ipsec/ipfw combination insecure? Message-ID: <Pine.BSF.4.21.0105042333220.23729-100000@cody.jharris.com> In-Reply-To: <3174.63.105.19.225.989018470.squirrel@sleipner.eiffel.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 4 May 2001, =3D?iso-8859-1?Q?Flemming_Fr=F8kj=E6r?=3D wrote: > When using ipsec to set up a VPN, address translation is taking place > before ipfw gets the packets. This means that ipfw sees the packets from > the remote RFC1918 network as coming from the external network > interface, and thus one is forced to bore a gaping hole for incoming > traffic in that IP range for the VPN to work.=20 As far as I know, hackers > can easily spoof their IP, so it will look like their packets are coming > from that very same IP range. Am I too paranoid here, or is there really > a security problem with this?=20 =09Well, On a local network, yes, spoofing is easy. Coming in from =09the internet *may* be a different story. If everyone were to run =09packet filters on their borders to prevent spoofing this would =09never be a problem. Unfortunetly, this does not always =09happen...so, yes, being concerned is a smart thing. If there is, what can be done about it? =09Possibly running tunnels between your machine and the other =09network. Then add crypto on top of that. Makes things a tad more =09difficult to break. Nick Rogness <nick@rogness.net> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105042333220.23729-100000>