Interaction between ipfw, IPSEC and natd
From: Brian Candler (B.Candler@pobox.com)
Date: 04/10/01
- Next message: Brett Glass: "Re: Will fixes for these FTP holes be MFC'ed in before release?"
- Previous message: Szilveszter Adam: "Re: Security Announcements?"
- Next in thread: Rasputin: "Re: Interaction between ipfw, IPSEC and natd"
- Reply: Rasputin: "Re: Interaction between ipfw, IPSEC and natd"
- Maybe reply: Lowell Gilbert: "Re: Interaction between ipfw, IPSEC and natd"
- Maybe reply: Brian Candler: "Re: Interaction between ipfw, IPSEC and natd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 10 Apr 2001 18:14:07 +0100 From: Brian Candler <B.Candler@pobox.com> To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org
Is there any documentation on how ipfw, natd and IPSEC interact with each
other? In particular,
- what is the order of processing of inbound and outbound packets?
- when packets are re-injected by natd, where in the whole system are they
re-injected?
- do packets reinjected by natd still match 'in via <interface>' or
'out via <interface>'? (OK, I could determine this one experimentally,
but I'd still like to see it documented :-)
I see that by default FreeBSD puts its natd divert rule right at the very
top of the ruleset, but I have found that this stops IPSEC processing
working. I can make it work by putting natd lower down: e.g.
add 01000 permit ip from 10.0.0.0/8 to 10.0.0.0/8 # private addrs
add 02000 divert 8668 ip from any to any via xl0 # external i/face
Here, subnets of 10.0.0.0/8 are behind the 'private' interface and also the
remote endpoints of IPSEC tunnels; there are IPSEC SA's which define them
exactly. However in this case I find it difficult to add anti-spoofing rules
on external interfaces without breaking either IPSEC or NAT.
Note that even in the presence of IPSEC, anti-spoofing rules _are_ still
required. For example, I have an SA which says
spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any
-P out none;
spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any
-P in none;
(where 10.0.1.0/24 is the locally-attached subnet and other downstream
subnets are within the /20). This is in order to allow local, non-encrypted
traffic to be routed via this box. However the presence of this SA means
that I really need an anti-spoofing filter on the public interface to
prevent packets matching this null SA being injected from outside.
In the end, I want to build a firewall with:
- antispoofing on all interfaces
- various IPSEC tunnels to distant subnets of private network
- natd for sessions going out of "public" interface
- the ability to add other ipfw policy controls
and not only should it work, but I should also have some confidence that it
is actually secure and doing what I intend - which means I really need to
understand how all these bits fit together :-)
Thanks,
Brian.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Brett Glass: "Re: Will fixes for these FTP holes be MFC'ed in before release?"
- Previous message: Szilveszter Adam: "Re: Security Announcements?"
- Next in thread: Rasputin: "Re: Interaction between ipfw, IPSEC and natd"
- Reply: Rasputin: "Re: Interaction between ipfw, IPSEC and natd"
- Maybe reply: Lowell Gilbert: "Re: Interaction between ipfw, IPSEC and natd"
- Maybe reply: Brian Candler: "Re: Interaction between ipfw, IPSEC and natd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
