Re: Interaction between ipfw, IPSEC and natd

From: Eric Anderson (anderson@centtech.com)
Date: 04/11/01


Date: Wed, 11 Apr 2001 10:31:10 -0500
From: Eric Anderson <anderson@centtech.com>
To: Lowell Gilbert <lowell@world.std.com>

I was having a hard time getting NATD to work with ipfw and IPSEC, so I
tried IPFILTER (ipf) and ipnat, and they work fairly well together.. The
firewall rules are still a pain to get working however, but I'm much
farther along than I was with ipfw and NATD.

Eric

Lowell Gilbert wrote:
>
> rara.rasputin@virgin.net (Rasputin) writes:
>
> > Does anybody know if ipfilter has similar problems with IPSec?
>
> Some forms of IPSEC have fundamental problems with packet rewriting,
> which means that NAT is extremely hard to use in an IPSEC environment.
> Notably, end-to-end IPSEC modes are broken, although router-based
> tunnels can be a problem depending on whether the NAT rewriting occurs
> before or after the IPSEC headers are applied.
>
> Even without NAT, though, firewalls are a little tricky to configure
> for IPSEC packets. This is because the firewall can't see the
> protocol ports (or even the protocol, for that matter) in the packet,
> so you have to make pass/drop decisions for IPSEC packets without that
> information. Both ipfilter and ipfw have some ability to deal with IP
> options, but it's a little limited in both cases and I'm too far out
> of my depth to speculate on what the right approach to firewalling
> IPSEC would be.
>
> Be well.
> Lowell Gilbert
> --
> Everybody is ignorant, only on different subjects.
> -- Will Rogers
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
-------------------------------------------------------------------------------
Eric Anderson						anderson@centtech.com
Centaur Technology				   	   (512) 418-5792
To see a need and wait to be asked, is to already refuse.
-------------------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • IPSec NFS
    ... I use IPSec to secure rw access to NFS shares. ... non-ipsec packet gets to NFS? ... I can use require-level policies and I can tell ipfw to ...
    (freebsd-questions)
  • Re: Filtering on IPSEC
    ... are you using transport mode? ... NAT before IPSEC can be done with ipfw, not with pf, don't know about ipfilter. ...
    (freebsd-net)
  • Re: IPsec filtertunnel broken on FreeBSD 10
    ... So the bug _seem_ to be related to ipsec as both ipfw and pf don't see ... the packet. ...
    (freebsd-net)
  • Re: Which Firewall ...
    ... I saw you also posted this question in the ipfw mailling list. ... ipfw ipf and ipsec if i'm not mistaiken. ...
    (freebsd-questions)
  • IPSec and IPFilter - external interface secure?
    ... allow access for traffic from the other respective subnet on the _external_ ... interface of each box, in ipfilter. ... gain access to either network by faking one of the reserved IPs from the other ... the IPSec SPD pick up all traffic from that range and prevent unencrypted ...
    (comp.unix.bsd.freebsd.misc)