IPsec and ipf processing with IPSEC_FILTERGIF

giannidoe at mac.com giannidoe at mac.com
Wed Nov 8 08:37:27 UTC 2006


I'm running IPsec in tunnel mode with the setup on host W.Z.Y.Z as:

spdadd 192.168.0.0/24 192.168.200.0/24 any -P out ipsec
            esp/tunnel/W.Z.Y.Z-A.B.C.D/unique;
spdadd 192.168.200.0/24 192.168.0.0/24 any -P in ipsec
            esp/tunnel/A.B.C.D-W.Z.Y.Z/unique;

Up until yesterday this was working fine with IPSEC_FILTERGIF option  
activated in the kernel and the ipfilter rules as listed below (fxp0  
is the internet facing nic).
The only changes I made were to install OpenVPN and add an ipf rule  
to allow in udp packets on port 1194 - things that shouldn't have had  
any effect on the IPsec tunnel afaik. After flushing and reloading  
the ipf rules my IPsec tunnel stopped working and on investigation it  
proved to be the following rule blocking the decrypted packets coming  
in on the internet interface.
@9 block in log first quick on fxp0 from 192.168.0.0/16 to any

I haven't rebuilt the kernel or world for a few weeks so I'm at a  
complete loss to explain how this was working before and then stopped  
working..... yes the ipf rules were in place before...... anyway I  
don't expect much help here without some hard evidence.
I have now rebuild kernel and world to FreeBSD 6.2-PRERELEASE #8 and  
behaviour remains.

What I would appreciate is some clarification and advice on how IPsec  
and ipfilter should interact when the IPSEC_FILTERGIF option is set.  
I've found various clues around the net but most of them out-of-date  
and it seems this has been an actively changing subject.

I suppose the crux of the matter is:
* Is it correct that with IPSEC_FILTERGIF the decrypted packets are  
fed back in to the *outside* interface?
* If I have to set rules to allow 192.168.0.0/24 in on my internet  
interface won't this then be at risk from spoofing?

@1 pass in quick on fxp1 all
@2 pass in quick on fxp0 proto udp from any to any port = isakmp keep  
state
@3 pass in quick on fxp0 proto esp from any to any
@4 pass in quick on fxp0 proto ipencap from any to any
@5 pass in quick on lo0 all
@6 pass in quick on fxp0 proto udp from any to any port = domain keep  
state
@7 pass in quick on fxp0 proto tcp from any to any port = domain  
flags S/FSRPAU keep state keep frags
@9 block in log first quick on fxp0 from 192.168.0.0/16 to any
@10 block in quick on fxp0 from 172.16.0.0/12 to any
@11 block in quick on fxp0 from 10.0.0.0/8 to any
@12 block in quick on fxp0 from 127.0.0.0/8 to any
@13 block in quick on fxp0 from 0.0.0.0/8 to any
@14 block in quick on fxp0 from 169.254.0.0/16 to any
@15 block in quick on fxp0 from 192.0.2.0/24 to any
@16 block in quick on fxp0 from 204.152.64.0/23 to any
@17 block in quick on fxp0 from 224.0.0.0/3 to any
@18 block in quick on fxp0 proto tcp from any to any with short
@19 block in quick on fxp0 from any to any with opt lsrr
@20 block in quick on fxp0 from any to any with opt ssrr
@21 block in log first quick on fxp0 proto tcp from any to any flags  
FPU/FSRPAU
@22 block in quick on fxp0 from any to any with ipopts
@23 pass in quick on fxp0 proto icmp from x.x.x.x/32 to any icmp-type  
echo keep state
@24 pass in quick on fxp0 proto icmp from any to any icmp-type  
unreach keep state
@25 block in quick on fxp0 proto icmp from any to any icmp-type echo
@26 block in quick on fxp0 proto tcp from any to any port = auth
@27 block in log first quick on fxp0 proto tcp/udp from any to any  
port = netbios-ns
@28 block in log first quick on fxp0 proto tcp/udp from any to any  
port = netbios-dgm
@29 block in log first quick on fxp0 proto tcp/udp from any to any  
port = netbios-ssn
@30 block in log first quick on fxp0 proto tcp/udp from any to any  
port = hosts2-ns
@31 pass in quick on fxp0 proto tcp from any to any port = ssh flags  
S/FSRPAU keep state keep frags
@32 block in log first quick on fxp0 all

Thanks
Gianni


More information about the freebsd-questions mailing list