Re: Interaction between ipfw, IPSEC and natd

From: Lowell Gilbert (lowell@world.std.com)
Date: 04/11/01


To: Rasputin <rara.rasputin@virgin.net>, freebsd-security@freebsd.org
From: Lowell Gilbert <lowell@world.std.com>
Date: 11 Apr 2001 11:25:31 -0400

rara.rasputin@virgin.net (Rasputin) writes:

> Does anybody know if ipfilter has similar problems with IPSec?

Some forms of IPSEC have fundamental problems with packet rewriting,
which means that NAT is extremely hard to use in an IPSEC environment.
Notably, end-to-end IPSEC modes are broken, although router-based
tunnels can be a problem depending on whether the NAT rewriting occurs
before or after the IPSEC headers are applied.

Even without NAT, though, firewalls are a little tricky to configure
for IPSEC packets. This is because the firewall can't see the
protocol ports (or even the protocol, for that matter) in the packet,
so you have to make pass/drop decisions for IPSEC packets without that
information. Both ipfilter and ipfw have some ability to deal with IP
options, but it's a little limited in both cases and I'm too far out
of my depth to speculate on what the right approach to firewalling
IPSEC would be.

Be well.
        Lowell Gilbert

-- 
Everybody is ignorant, only on different subjects.
		-- Will Rogers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • IPSEC/VPN/NAT and filtering
    ... NAT the ipsec tunnel. ... then requeues the packet for further routing. ...
    (FreeBSD-Security)
  • Re: IPSEC/VPN/NAT and filtering
    ... > IPSec all the time to work with a Checkpoint Firewall. ... Wouldn't that depend on whether you're using tunnel v.s. transport mode ... >> NAT the ipsec tunnel. ... >> then requeues the packet for further routing. ...
    (FreeBSD-Security)
  • Re: best encryption + mode for network packets ?
    ... > I don't understand much about all the different encryption modes... ... The IPSEC design deals with many issues ... that the chaining modes typically require an unpredictable but non-secret ... start of the packet they've just received, ...
    (sci.crypt)
  • enc0 patch for ipsec
    ... This is a device to expose packets going in/out of ipsec and comes ... and handoff to pfilfor packet filtering. ... the extra work is only done when the enc0 interface is created. ...
    (freebsd-arch)
  • enc0 patch for ipsec
    ... This is a device to expose packets going in/out of ipsec and comes ... and handoff to pfilfor packet filtering. ... the extra work is only done when the enc0 interface is created. ...
    (freebsd-net)