From owner-freebsd-security@FreeBSD.ORG Tue May 6 15:07:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A9D337B401 for ; Tue, 6 May 2003 15:07:51 -0700 (PDT) Received: from mail.dannysplace.net (allxs.xs4all.nl [194.109.223.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2541D43FB1 for ; Tue, 6 May 2003 15:07:50 -0700 (PDT) (envelope-from fbsd@dannysplace.net) Received: from [192.168.1.3] (helo=localhost) by mail.dannysplace.net with esmtp (Exim 4.12) id 19DAbD-000Gly-00; Wed, 07 May 2003 00:07:47 +0200 Received: from 192.168.100.228 ([192.168.100.228]) by www.dannysplace.com (Horde) with HTTP for ; Wed, 7 May 2003 00:07:47 +0200 Message-ID: <1052258867.b640e23b86613@www.dannysplace.com> Date: Wed, 7 May 2003 00:07:47 +0200 From: Danny Carroll To: Matt Piechota References: <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> <20030501104614.A29056@chaos.obstruction.com> <1052214194.d45fa9082ef35@www.dannysplace.com> <20030506092623.I56271@cithaeron.argolis.org> In-Reply-To: <20030506092623.I56271@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19DAbD-000Gly-00*Y.u/kaicGCA* cc: "freebsd-security@freebsd.org" Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 22:07:51 -0000 > On Tue, 6 May 2003, Danny Carroll wrote: > > FYI I have done this in ipfw/natd... It's just as easy. I think I only added > > one rule to my firewall and nothing to my natd.conf > > > > Now I can vpn from any machine on the internal lan to multiple vpn's. > > If you want I can send you the ruleset. > > Please do! I was just working up to converting, but if it works, this'll > be much easier. > Matt Piechota Umm I looked at my ruleset and I found nothing... Then I remembered what I needed to do.. Basically 90% of the rulesets out there work on allowing IP and UDP But since esp is a different protocol to IP, it gets dropped. I think those that wanted my ruleset do not really need it... Just look for the lines that you have saying "allow ip from..." and add similar ones that say "allow esp from" or change them to "allow tcp from" That last one is what I have done and it occurs to me now that it might just be a little to open... So, here is the ruleset I would write for a standard home gateway with an internal network of 192.168.100.x and an external IP address of 1.2.3.4 xl0 is the outside interface, xl1 is the inside. Now, this minute, I have left my laptop at work so I have no way to test the VPN, but I am pretty sure that normal udp/tcp keep state rules allow esp.... Someone hit me over the head if I have muddled this up... It's a little late. -D p.s. Will send my ruleset if you *really* want it. But not to the list.