how to configure a FreeBSD firewall to pass IPSec?

Peter Pentchev roam at ringlet.net
Tue May 6 22:53:02 PDT 2003 

On Wed, May 07, 2003 at 12:07:47AM +0200, Danny Carroll wrote:
> > On Tue, 6 May 2003, Danny Carroll wrote:
> > > FYI I have done this in ipfw/natd...  It's just as easy.  I think I only
> added
> > > one rule to my firewall and nothing to my natd.conf
> > >
> > > Now I can vpn from any machine on the internal lan to multiple vpn's.
> > > If you want I can send you the ruleset.
> >
> > Please do!  I was just working up to converting, but if it works, this'll
> > be much easier.
> > Matt Piechota
> 
> 
> Umm  I looked at my ruleset and I found nothing...
> Then I remembered what I needed to do..
> 
> Basically 90% of the rulesets out there work on allowing IP and UDP
> But since esp is a different protocol to IP, it gets dropped.

You have a very good point here, if by 'IP and UDP' you actually meant
to say 'TCP and UDP', and 'ESP is a different protocol from TCP'.  TCP,
UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or
ESP packet is an IP packet at the same time.  If you meant to say that
most firewalls only allow TCP and UDP packets, then this is absolutely
true: a firewall that only allows TCP and UDP, then denies all the rest
of IP traffic without special provisions for ICMP or ESP, would
certainly not let any IPsec traffic through.

Come to think of it, a firewall that only allows TCP and UDP traffic
and then denies any other IP traffic, including ICMP, is doing a great
disservice to both itself, its internal network, and the Internet at
large.  This has been said many, many times in many forums, but still:
some ICMP messages are not only beneficial, they are essential for
the correct operation of the network.  Firewalling all ICMP traffic
is a very bad idea.

G'luck,
Peter

-- 
Peter Pentchev	roam at ringlet.net    roam at sbnd.net    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I am the meaning of this sentence.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030507/aa6fa137/attachment.bin

More information about the freebsd-security mailing list