Re: how to configure a FreeBSD firewall to pass IPSec?
From: Barry Irwin (bvi_at_itouchlabs.com)
Date: 05/09/03
- Previous message: Peter Pentchev: "Re: VPN through BSD for Win2k, totally baffled"
- In reply to: Danny Carroll: "Re: how to configure a FreeBSD firewall to pass IPSec?"
- Next in thread: Matthew D. Fuller: "Re: how to configure a FreeBSD firewall to pass IPSec?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Danny Carroll" <fbsd@dannysplace.net>, "Peter Pentchev" <roam@ringlet.net> Date: Fri, 9 May 2003 12:16:15 +0200
You just need to allow esp and ah depending on what you are using. Also
remember port 500 for IKE.
Barry
-- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch Technology iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Danny Carroll" <fbsd@dannysplace.net> To: "Peter Pentchev" <roam@ringlet.net> Cc: <freebsd-security@freebsd.org> Sent: Wednesday, May 07, 2003 9:33 PM Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > As promised, my ruleset that works.. > I've removed the lines that are important for me to keep a secret... But > they are only things like ftp... > My Natd.conf only has some port redirects for web/ftp etc... > p.s. Sorry for the top-post... > > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > deny ip from 127.0.0.0/8 to any > > # Spoof protection. > deny log logamount 500 ip from 192.168.50.0/24 to any in recv xl0 > deny log logamount 500 ip from any to 10.0.0.0/8 via xl0 > deny log logamount 500 ip from any to 172.16.0.0/12 via xl0 > deny log logamount 500 ip from any to 192.168.0.0/24 via xl0 > deny log logamount 500 ip from 0.0.0.0/8 to any via xl0 > deny log logamount 500 ip from 169.254.0.0/16 to any via xl0 > deny log logamount 500 ip from 192.0.2.0/24 to any via xl0 > deny log logamount 500 ip from 224.0.0.0/4 to any via xl0 > deny log logamount 500 ip from 240.0.0.0/4 to any via xl0 > > #Disallow smb/nmb > deny log logamount 500 tcp from any to any 137-139 via xl0 > deny log logamount 500 tcp from any 137-139 to any via xl0 > deny log logamount 500 udp from any to any 137-139 via xl0 > deny log logamount 500 udp from any 137-139 to any via xl0 > > # Now divert, and setup my pipes... (These are so my web/ftp server leaves > me some bandwidth) > pipe 1 ip from 192.168.10.0/24 to any out xmit xl0 > divert 8668 ip from any to any via xl0 > pipe 2 ip from any to 192.168.10.0/24 in recv xl0 > > allow tcp from any to any established > allow tcp from any to any 25 setup > allow tcp from any to any 21 setup > allow tcp from any to any 80 setup > allow tcp from any to any 443 setup > allow udp from 192.168.50.0/24 to any keep-state > allow tcp from 192.168.50.0/24 to any setup > deny log logamount 500 tcp from any to any in recv xl0 setup > allow icmp from any to any > deny log logamount 500 ip from any to any > 65535 deny ip from any to any > > ----- Original Message ----- > From: "Danny Carroll" <fbsd@dannysplace.net> > To: "Peter Pentchev" <roam@ringlet.net> > Cc: <freebsd-security@freebsd.org> > Sent: Wednesday, May 07, 2003 11:27 AM > Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > > > > Quoting Peter Pentchev <roam@ringlet.net>: > > > You have a very good point here, if by 'IP and UDP' you actually meant > > > to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, > > > UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or > > > ESP packet is an IP packet at the same time. If you meant to say that > > > most firewalls only allow TCP and UDP packets, then this is absolutely > > > true: a firewall that only allows TCP and UDP, then denies all the rest > > > of IP traffic without special provisions for ICMP or ESP, would > > > certainly not let any IPsec traffic through. > > > > You see:, I knew I was writing that the wrong way round... Of course I > meant > > tcp and udp. > > > > > Come to think of it, a firewall that only allows TCP and UDP traffic > > > and then denies any other IP traffic, including ICMP, is doing a great > > > disservice to both itself, its internal network, and the Internet at > > > large. This has been said many, many times in many forums, but still: > > > some ICMP messages are not only beneficial, they are essential for > > > the correct operation of the network. Firewalling all ICMP traffic > > > is a very bad idea. > > > > Agreed! > > > > To those that want my rules... I will post them tonight, when I can make > sure > > that they are actually working. From memory I was adding a "allow esp" > rule > > temporarilly when I needed vpn support. > > -D > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Peter Pentchev: "Re: VPN through BSD for Win2k, totally baffled"
- In reply to: Danny Carroll: "Re: how to configure a FreeBSD firewall to pass IPSec?"
- Next in thread: Matthew D. Fuller: "Re: how to configure a FreeBSD firewall to pass IPSec?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
