Impossible to IPfilter this?
Lupe Christoph
lupe at lupe-christoph.de
Sat Jun 7 04:38:01 PDT 2003
Hi!
I'm trying to increase security on my FreeBSD 4.8 firewall/DSL router/VPN
router.
My problem is with firewalling the VPN part. I'm using a tunnel to a
RedHat 7.1 box running FreeS/WAN. This tunnel allows traffic from my
internal net (172.17.0.0/24) to that box only:
spdadd 172.17.0.0/24 $REDHAT/32 any -P out ipsec esp/tunnel/$MYADDR-$REDHAT/unique;
spdadd $REDHAT/32 172.17.0.0/24 any -P in ipsec esp/tunnel/$REDHAT-$MYADDR/unique;
What I want to do is prohibit traffic from $REDHAT to 172.17.0.7, the
internal address of this FreeBSD box. I'm using IPFilter, so I inserted
a rule like this:
block in log quick from any to 172.17.0.7
It is not attached to any interface, so it should supposedly work even
for tunnelled traffic. Only it doesn't.
I tried using GIF devices, but could not get them to work with
FreeS/WAN 1.95. Did anybody accomplish this?
I remember talk on this mailing list about making IPSec use an interface
even when it is not run with GIFs. I have not followed the FreeBSD 5
work. Is this being integrated there? It would be very useful for this
kind of situation, and I'm using it on some other FreeS/WAN box I
maintain. But I want to secure my firewall against the other side being
taken over, so this does not help me here.
Any hints how to resolve this are welcome. I don't think this is a
general IPFilter problem, hence I'm asking on this mailing list rather
than that for IPFilter.
Thank you,
Lupe Christoph
PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked.
It would be interesting to put the IPSec code in this picture. Are
IPSec packets going through *any* of them? With/out GIF?
--
| lupe at lupe-christoph.de | http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze |
| "Thief of Time", Terry Pratchett |
More information about the freebsd-security
mailing list