Re: how to configure a FreeBSD firewall to pass IPSec?

From: Peter Pentchev (roam_at_ringlet.net)
Date: 05/07/03

  • Next message: Danny Carroll: "Re: how to configure a FreeBSD firewall to pass IPSec?" 
    Date: Wed, 7 May 2003 08:50:36 +0300
To: Danny Carroll <fbsd@dannysplace.net>

    On Wed, May 07, 2003 at 12:07:47AM +0200, Danny Carroll wrote:
    > > On Tue, 6 May 2003, Danny Carroll wrote:
    > > > FYI I have done this in ipfw/natd... It's just as easy. I think I only
    > added
    > > > one rule to my firewall and nothing to my natd.conf
    > > >
    > > > Now I can vpn from any machine on the internal lan to multiple vpn's.
    > > > If you want I can send you the ruleset.
    > >
    > > Please do! I was just working up to converting, but if it works, this'll
    > > be much easier.
    > > Matt Piechota
    >
    >
    > Umm I looked at my ruleset and I found nothing...
    > Then I remembered what I needed to do..
    >
    > Basically 90% of the rulesets out there work on allowing IP and UDP
    > But since esp is a different protocol to IP, it gets dropped.

    You have a very good point here, if by 'IP and UDP' you actually meant
    to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP,
    UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or
    ESP packet is an IP packet at the same time. If you meant to say that
    most firewalls only allow TCP and UDP packets, then this is absolutely
    true: a firewall that only allows TCP and UDP, then denies all the rest
    of IP traffic without special provisions for ICMP or ESP, would
    certainly not let any IPsec traffic through.

    Come to think of it, a firewall that only allows TCP and UDP traffic
    and then denies any other IP traffic, including ICMP, is doing a great
    disservice to both itself, its internal network, and the Internet at
    large. This has been said many, many times in many forums, but still:
    some ICMP messages are not only beneficial, they are essential for
    the correct operation of the network. Firewalling all ICMP traffic
    is a very bad idea.

    G'luck,
    Peter 

    -- 
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I am the meaning of this sentence.

  • Next message: Danny Carroll: "Re: how to configure a FreeBSD firewall to pass IPSec?"

    Relevant Pages

    • Re: Successful remote AES key extraction
      ... To answer objections that ICMP packets might take slower paths through ... using TCP or UDP. ... L2 cache misses are more costly, but the rest of a real ...
      (sci.crypt)
    • WIZnet Chip W3100as TCP/IP Support
      ... that they are supporting TCP, UDP, IP, ICMP etc. ... But i want the detailed features what they support in TCP/IP. ... Time Exceeded, ICMP Echo Request or Reply, ICMP Address ...
      (comp.arch.embedded)
    • WIZZnet Chip W3100as TCP/IP Support
      ... that they are supporting TCP, UDP, IP, ICMP etc. ... But i want the detailed features what they support in TCP/IP. ... Time Exceeded, ICMP Echo Request or Reply, ICMP Address ...
      (comp.arch.embedded)
    • Re: Revised list of IPs used by Spyware and Adware (Was: bear share and zone alarm)
      ... ICMP messages really aren't anything to worry about. ... Filtering TCP and UDP ...
      (comp.security.firewalls)
    • natd, ipfw problem
      ... redirect_port udp 192.168.0.2:53 53 ... redirect_port tcp 192.168.0.2:53 53 ... add 00601 allow udp from any to any 53 keep-state via sis0 ... add 00701 allow icmp from any to any out icmptypes 8 ...
      (freebsd-questions)