how to configure a FreeBSD firewall to pass IPSec?

Barry Irwin bvi at itouchlabs.com
Fri May 9 03:18:05 PDT 2003 

You just need  to allow esp and ah depending on what you are using.  Also
remember port 500 for IKE.

Barry


--
Barry Irwin         bvi at itouchlabs.com                    Tel:
+27214875178
Systems Administrator: Networks And Security
iTouch Technology
iTouch TAS      http://www.itouchlabs.com         Mobile: +27824457210


----- Original Message -----
From: "Danny Carroll" <fbsd at dannysplace.net>
To: "Peter Pentchev" <roam at ringlet.net>
Cc: <freebsd-security at freebsd.org>
Sent: Wednesday, May 07, 2003 9:33 PM
Subject: Re: how to configure a FreeBSD firewall to pass IPSec?


> As promised, my ruleset that works..
> I've removed the lines that are important for me to keep a secret...  But
> they are only things like ftp...
> My Natd.conf only has some port redirects for web/ftp etc...
> p.s. Sorry for the top-post...
>
> allow ip from any to any via lo0
> deny ip from any to 127.0.0.0/8
> deny ip from 127.0.0.0/8 to any
>
> # Spoof protection.
> deny log logamount 500 ip from 192.168.50.0/24 to any in recv xl0
> deny log logamount 500 ip from any to 10.0.0.0/8 via xl0
> deny log logamount 500 ip from any to 172.16.0.0/12 via xl0
> deny log logamount 500 ip from any to 192.168.0.0/24 via xl0
> deny log logamount 500 ip from 0.0.0.0/8 to any via xl0
> deny log logamount 500 ip from 169.254.0.0/16 to any via xl0
> deny log logamount 500 ip from 192.0.2.0/24 to any via xl0
> deny log logamount 500 ip from 224.0.0.0/4 to any via xl0
> deny log logamount 500 ip from 240.0.0.0/4 to any via xl0
>
> #Disallow smb/nmb
> deny log logamount 500 tcp from any to any 137-139 via xl0
> deny log logamount 500 tcp from any 137-139 to any via xl0
> deny log logamount 500 udp from any to any 137-139 via xl0
> deny log logamount 500 udp from any 137-139 to any via xl0
>
> # Now divert, and setup my pipes... (These are so my web/ftp server leaves
> me some bandwidth)
> pipe 1 ip from 192.168.10.0/24 to any out xmit xl0
> divert 8668 ip from any to any via xl0
> pipe 2 ip from any to 192.168.10.0/24 in recv xl0
>
> allow tcp from any to any established
> allow tcp from any to any 25 setup
> allow tcp from any to any 21 setup
> allow tcp from any to any 80 setup
> allow tcp from any to any 443 setup
> allow udp from 192.168.50.0/24 to any keep-state
> allow tcp from 192.168.50.0/24 to any setup
> deny log logamount 500 tcp from any to any in recv xl0 setup
> allow icmp from any to any
> deny log logamount 500 ip from any to any
> 65535 deny ip from any to any
>
> ----- Original Message -----
> From: "Danny Carroll" <fbsd at dannysplace.net>
> To: "Peter Pentchev" <roam at ringlet.net>
> Cc: <freebsd-security at freebsd.org>
> Sent: Wednesday, May 07, 2003 11:27 AM
> Subject: Re: how to configure a FreeBSD firewall to pass IPSec?
>
>
> > Quoting Peter Pentchev <roam at ringlet.net>:
> > > You have a very good point here, if by 'IP and UDP' you actually meant
> > > to say 'TCP and UDP', and 'ESP is a different protocol from TCP'.
TCP,
> > > UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or
> > > ESP packet is an IP packet at the same time.  If you meant to say that
> > > most firewalls only allow TCP and UDP packets, then this is absolutely
> > > true: a firewall that only allows TCP and UDP, then denies all the
rest
> > > of IP traffic without special provisions for ICMP or ESP, would
> > > certainly not let any IPsec traffic through.
> >
> > You see:, I knew I was writing that the wrong way round...  Of course I
> meant
> > tcp and udp.
> >
> > > Come to think of it, a firewall that only allows TCP and UDP traffic
> > > and then denies any other IP traffic, including ICMP, is doing a great
> > > disservice to both itself, its internal network, and the Internet at
> > > large.  This has been said many, many times in many forums, but still:
> > > some ICMP messages are not only beneficial, they are essential for
> > > the correct operation of the network.  Firewalling all ICMP traffic
> > > is a very bad idea.
> >
> > Agreed!
> >
> > To those that want my rules...  I will post them tonight, when I can
make
> sure
> > that they are actually working.  From memory I was adding a "allow esp"
> rule
> > temporarilly when I needed vpn support.
> > -D
> >
> > _______________________________________________
> > freebsd-security at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
> >
> >
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"
>
>
>

More information about the freebsd-security mailing list