Re: IPSEC only from wireless subnet?

Thus spake ipf (ipf@xtremedev.com) [20/09/03 12:46]:
> OK. I have got tunneling working between my clients and gateway.
> However, I am having a hard time working out the ipfilter rules that
> best fit my needs. Ie., block all that are not ESP packets (all wireless
> users MUST authenticate and encrypt via IPSec/racoon to use my network).
> I tried the below rules, and they seem to prevent my clients from
> accessing the internet (if I change them to pass all from any to any,
> the clients can access the internet just fine):
>
> # First block all packets by default on em0 (wireless access point)
> block in quick on em0 all head 500
> block out quick on em0 all head 600
>
> # Let in DHCP requests, and keep state on it so we can give out leases
> pass in quick on em0 proto udp from any to any port = bootps keep state
> keep frags group 500
>
> # Let in IPSec requests to start IPSec negotiation with racoon server
> pass in quick on em0 proto udp from any port = isakmp to any port =
> isakmp keep state keep grags group 500
>
> # Now let ESP packets flow freely
> pass in quick on em0 proto esp from any to any group 500
> pass out quick on em0 proto esp from any to any group 600
>
>
> Any suggestions on what other ports I might need to open up? Er, maybe
> DNS? I had hoped that DHCP and ISAKMP (port 500) were all that was
> needed to authenticate the clients to IPSec, then all ip traffic would
> then be ESP encrypted, including the dns queries. No?

Might I suggest something like this...

block in on em0 all head 500
# We want to let in ISAKMP traffic, but not all ISAKMP daemons use UDP/500
# as their source...
pass in quick on em0 proto udp from any to ${me} port = 500 keep state keep frags group 500
pass in quick on em0 proto ah from any to any keep state keep frags group 500
pass in quick on em0 proto esp from any to any keep state keep frags group 500

block out on em0 all head 600
pass out quick on em0 proto udp from ${me} port = 500 to any port = 500 keep state keep frags group 600
# Allow out traffic originating from us.
pass out quick on em0 proto ah from ${me} to any keep state keep frags group 600
pass out quick on em0 proto esp from ${me} to any keep state keep frags group 600
# And put in any other rules that you want to allow /initiated/ traffic
# /to/ this subnet

Note:

That will cover that interface. But the gotcha with IPSec is that the
ah/esp matching only covers the IPSec traffic. So you let /in/ the
encapsulated traffic, but when you want to pass /out/ the decapsulated
traffic, it's subject to whichever rules match on outbound -- so you have to
explicitly permit this.

This is a bit of a PITA -- but the appropriate 'pass out quick ... keep
state' rule should take care of this.

Note, there are some FreeBSD kernel options that play with how this works.
I've never used them, so I don't know how well they work. OpenBSD has the
encx interfaces, so they play a little nicer in this regard (I believe).