IPSEC only from wireless subnet?

This is a discussion on IPSEC only from wireless subnet? within the IPFilter forums, part of the System Security and Security Related category; I'm having some issues with a firewall setup that I would like help with. Here is my current setup: * ...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page IPSEC only from wireless subnet?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 09-12-2003
ipf
 
Posts: n/a
Default IPSEC only from wireless subnet?
I'm having some issues with a firewall setup that I would like help
with. Here is my current setup:


* IPFilter v3.4.31 running on FreeBSD 4-STABLE.
* There are two relevant network cards, one with a static public ip
address on xl0, and the other with a static private internal ip
address on em0, 10.0.0.1/255.255.255.0.
* em0, 10.0.0.1/255.255.255.0, is directly connected to a Linksys
Wireless Access point (WAP55AG) with a static ip of 10.0.0.246.
* Racoon-20030711a listening on isakmp/500 udp.
* ISC-DHCPd 3.0.1.r12 handing out dynamic IP's to wireless clients.
* Windows XP client machines with ipsec filter rules.

What I would like to do, is to deny all packets from that wireless
access point except for esp packets. Which means that my wireless
clients won't have access to the rest of the network or to the internet
until they have authenticated via racoon (hopefully, this will wrap my
wireless packets in ipsec and prevent other people from using my network
network).

Thus far, I have these as my firewall rules (snapshot):

# Setup the head rules
block in quick on em0 all head 500
block out quick on em0 all head 600

# Rules for incoming packets
pass in quick on em0 proto udp from any to any port = bootps keep state
keep frags group 500
pass in quick on em0 proto udp from any port = isakmp to any port =
isakmp keep state keep frags group 500
pass in quick on em0 proto esp from any to any group 500

# Rules for outgoing packets
pass out quick on em0 proto esp from any to any group 600


Here is my ipnat rules:
map xl0 10.0.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map xl0 10.0.0.0/24 -> 0/32 portmap tcp/udp 30201:39999
map xl0 10.0.0.0/24 -> 0/32


My Windows XP laptop has no problems getting a dynamic ip address from
the dhcpd running on the FreeBSD gateway, and successfully connects to
the internet without problems... NOT. Only if I use the 'pass' keywords
instead of the 'block' keyword in the head rules:
pass in quick on em0 all head 500
pass out quick on em0 all head 600
If I used the block rules, I can't connect to anywhere. I seem to have
no problems authenticating with racoon, as the logs show ESP/Transport
rules being setup and mirrored. But once I use the block rules, it all
goes kaput.

Does anyone have any suggestions on how to secure my wireless network
with ipfilter and ipsec? Thanks in advance.
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 04:41 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0