Re: IPSEC only from wireless subnet?
This is a discussion on Re: IPSEC only from wireless subnet? within the IPFilter forums, part of the System Security and Security Related category; On Sat, Sep 20, 2003 at 10:11:11AM -0600, ipf wrote: > > OK. I have got tunneling working ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-23-2003
|
|||
|
|||
Re: IPSEC only from wireless subnet?
On Sat, Sep 20, 2003 at 10:11:11AM -0600, ipf wrote:
> > OK. I have got tunneling working between my clients and gateway. > However, I am having a hard time working out the ipfilter rules that > best fit my needs. Ie., block all that are not ESP packets (all wireless > users MUST authenticate and encrypt via IPSec/racoon to use my network). > I tried the below rules, and they seem to prevent my clients from > accessing the internet (if I change them to pass all from any to any, > the clients can access the internet just fine): > > # First block all packets by default on em0 (wireless access point) > block in quick on em0 all head 500 > block out quick on em0 all head 600 > > # Let in DHCP requests, and keep state on it so we can give out leases > pass in quick on em0 proto udp from any to any port = bootps keep state > keep frags group 500 > > # Let in IPSec requests to start IPSec negotiation with racoon server > pass in quick on em0 proto udp from any port = isakmp to any port = > isakmp keep state keep grags group 500 > > # Now let ESP packets flow freely > pass in quick on em0 proto esp from any to any group 500 > pass out quick on em0 proto esp from any to any group 600 > > > Any suggestions on what other ports I might need to open up? Er, maybe > DNS? I had hoped that DHCP and ISAKMP (port 500) were all that was > needed to authenticate the clients to IPSec, then all ip traffic would > then be ESP encrypted, including the dns queries. No? The only thing I can think of, but I wouldn't think it would affect you right away, is that you need to open up 500/udp in both directions. Remember IPsec is peer-to-peer and not client-to-server. Either end may start IKE transactions. But I would expect things to work for a while and then die off after SAs expire if that were the problem. Anyway, I have a similar setup (except one of the firewall interfaces _is_ the AP). My rules look like, # Wireless network out - DHCP and IPsec from firewall to clients block out log quick on WI_IF all head 5000 pass out quick proto esp from WI_IP to WI_NET group 5000 pass out quick proto udp from WI_IP port = 500 to WI_NET port = 500 group 5000 pass out quick proto udp from WI_IP port = 67 to WI_NET port = 68 group 5000 pass out quick proto udp from WI_IP port = 67 to 255.255.255.255 port = 68 group 5000 # Wireless network in - DHCP and IPsec block in log quick on WI_IF all head 6000 block in log quick from WI_IP to any group 6000 pass in quick proto esp from WI_NET to WI_IP group 6000 pass in quick proto gre from WI_NET to WI_IP group 6000 pass in quick proto udp from WI_NET port = 500 to WI_IP port = 500 group 6000 pass in quick proto udp from WI_NET port = 68 to WI_IP port = 67 group 6000 pass in quick proto udp from 0.0.0.0/32 port = 68 to 255.255.255.255/32 port = 67 group 6000 They look similar to yours. Just a little more detailed on the DHCP and two-way 500/udp. (This gets run through m4(1) to convert the "WI_IP" and "WI_NET" to their real values.) -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org 
|
Linear Mode
