Re: Interaction between ipfw, IPSEC and natd
From: Eric Anderson (anderson@centtech.com)
Date: 04/11/01
- Next message: Rasputin: "Re: Interaction between ipfw, IPSEC and natd"
- Previous message: Lowell Gilbert: "Re: Interaction between ipfw, IPSEC and natd"
- In reply to: Lowell Gilbert: "Re: Interaction between ipfw, IPSEC and natd"
- Next in thread: Rasputin: "Re: Interaction between ipfw, IPSEC and natd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 Apr 2001 10:31:10 -0500 From: Eric Anderson <anderson@centtech.com> To: Lowell Gilbert <lowell@world.std.com>
I was having a hard time getting NATD to work with ipfw and IPSEC, so I
tried IPFILTER (ipf) and ipnat, and they work fairly well together.. The
firewall rules are still a pain to get working however, but I'm much
farther along than I was with ipfw and NATD.
Eric
Lowell Gilbert wrote:
>
> rara.rasputin@virgin.net (Rasputin) writes:
>
> > Does anybody know if ipfilter has similar problems with IPSec?
>
> Some forms of IPSEC have fundamental problems with packet rewriting,
> which means that NAT is extremely hard to use in an IPSEC environment.
> Notably, end-to-end IPSEC modes are broken, although router-based
> tunnels can be a problem depending on whether the NAT rewriting occurs
> before or after the IPSEC headers are applied.
>
> Even without NAT, though, firewalls are a little tricky to configure
> for IPSEC packets. This is because the firewall can't see the
> protocol ports (or even the protocol, for that matter) in the packet,
> so you have to make pass/drop decisions for IPSEC packets without that
> information. Both ipfilter and ipfw have some ability to deal with IP
> options, but it's a little limited in both cases and I'm too far out
> of my depth to speculate on what the right approach to firewalling
> IPSEC would be.
>
> Be well.
> Lowell Gilbert
> --
> Everybody is ignorant, only on different subjects.
> -- Will Rogers
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 To see a need and wait to be asked, is to already refuse. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Rasputin: "Re: Interaction between ipfw, IPSEC and natd"
- Previous message: Lowell Gilbert: "Re: Interaction between ipfw, IPSEC and natd"
- In reply to: Lowell Gilbert: "Re: Interaction between ipfw, IPSEC and natd"
- Next in thread: Rasputin: "Re: Interaction between ipfw, IPSEC and natd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
