Interaction between ipfw, IPSEC and natd

From: Brian Candler (B.Candler@pobox.com)
Date: 04/10/01


Date: Tue, 10 Apr 2001 18:14:07 +0100
From: Brian Candler <B.Candler@pobox.com>
To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org

Is there any documentation on how ipfw, natd and IPSEC interact with each
other? In particular,
- what is the order of processing of inbound and outbound packets?
- when packets are re-injected by natd, where in the whole system are they
  re-injected?
- do packets reinjected by natd still match 'in via <interface>' or
  'out via <interface>'? (OK, I could determine this one experimentally,
  but I'd still like to see it documented :-)

I see that by default FreeBSD puts its natd divert rule right at the very
top of the ruleset, but I have found that this stops IPSEC processing
working. I can make it work by putting natd lower down: e.g.

add 01000 permit ip from 10.0.0.0/8 to 10.0.0.0/8 # private addrs
add 02000 divert 8668 ip from any to any via xl0 # external i/face

Here, subnets of 10.0.0.0/8 are behind the 'private' interface and also the
remote endpoints of IPSEC tunnels; there are IPSEC SA's which define them
exactly. However in this case I find it difficult to add anti-spoofing rules
on external interfaces without breaking either IPSEC or NAT.

Note that even in the presence of IPSEC, anti-spoofing rules _are_ still
required. For example, I have an SA which says

spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any
        -P out none;
spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any
        -P in none;

(where 10.0.1.0/24 is the locally-attached subnet and other downstream
subnets are within the /20). This is in order to allow local, non-encrypted
traffic to be routed via this box. However the presence of this SA means
that I really need an anti-spoofing filter on the public interface to
prevent packets matching this null SA being injected from outside.

In the end, I want to build a firewall with:
- antispoofing on all interfaces
- various IPSEC tunnels to distant subnets of private network
- natd for sessions going out of "public" interface
- the ability to add other ipfw policy controls

and not only should it work, but I should also have some confidence that it
is actually secure and doing what I intend - which means I really need to
understand how all these bits fit together :-)

Thanks,

Brian.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: (long) Re: Using racoon-negotiated IPSec with ipfw and natd
    ... IPsec processing of the outgoing packet happens ... >> external interface. ... > allowing the traffic before the natd divert. ... saying on which interface the ipfwrules pass packets to natd. ...
    (FreeBSD-Security)
  • Re: (long) Re: Using racoon-negotiated IPSec with ipfw and natd
    ... IPsec processing of the outgoing packet happens ... >> external interface. ... > allowing the traffic before the natd divert. ... saying on which interface the ipfwrules pass packets to natd. ...
    (freebsd-net)
  • Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...]
    ... Anyway building firewall rules to the IPSec connection configured without gif interface is also possible. ... Packets goes via ipfw 2 times: first encoded, in normal IPv4 form, second time encapsulated in EPS frames. ... I don't know if it works the same whet sysctl's fw_onepass is set to 1 (on my gateway is set to 0) but filtering packets before they passed to the IPSec tunnel is possible and it works without gif's. ... On gateway it's posiible to sniff on "clear" interface and compare it with ESP traffic on "encrypted" interface. ...
    (FreeBSD-Security)
  • Re: Interaction between ipfw, IPSEC and natd
    ... >> which means that NAT is extremely hard to use in an IPSEC environment. ... > do not need IPSEC packets to be routed through the firewall at all. ... > and dest address and injects it into the outside interface of the firewall; ...
    (FreeBSD-Security)
  • Re: Interaction between ipfw, IPSEC and natd
    ... > Is there any documentation on how ipfw, natd and IPSEC interact with each ... > - when packets are re-injected by natd, where in the whole system are they ...
    (FreeBSD-Security)