Re: Interaction between ipfw, IPSEC and natd

From: Lowell Gilbert (lowell@world.std.com)
Date: 04/11/01


To: Rasputin <rara.rasputin@virgin.net>, freebsd-security@freebsd.org
From: Lowell Gilbert <lowell@world.std.com>
Date: 11 Apr 2001 11:25:31 -0400

rara.rasputin@virgin.net (Rasputin) writes:

> Does anybody know if ipfilter has similar problems with IPSec?

Some forms of IPSEC have fundamental problems with packet rewriting,
which means that NAT is extremely hard to use in an IPSEC environment.
Notably, end-to-end IPSEC modes are broken, although router-based
tunnels can be a problem depending on whether the NAT rewriting occurs
before or after the IPSEC headers are applied.

Even without NAT, though, firewalls are a little tricky to configure
for IPSEC packets. This is because the firewall can't see the
protocol ports (or even the protocol, for that matter) in the packet,
so you have to make pass/drop decisions for IPSEC packets without that
information. Both ipfilter and ipfw have some ability to deal with IP
options, but it's a little limited in both cases and I'm too far out
of my depth to speculate on what the right approach to firewalling
IPSEC would be.

Be well.
        Lowell Gilbert

-- 
Everybody is ignorant, only on different subjects.
		-- Will Rogers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message