|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: how to configure a FreeBSD firewall to pass IPSec?
From: Danny Carroll (fbsd
dannysplace.net)
Date: Wed May 07 2003 - 04:27:43 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Quoting Peter Pentchev <roamringlet.net>:
> You have a very good point here, if by 'IP and UDP' you actually meant
> to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP,
> UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or
> ESP packet is an IP packet at the same time. If you meant to say that
> most firewalls only allow TCP and UDP packets, then this is absolutely
> true: a firewall that only allows TCP and UDP, then denies all the rest
> of IP traffic without special provisions for ICMP or ESP, would
> certainly not let any IPsec traffic through.
You see:, I knew I was writing that the wrong way round... Of course I meant
tcp and udp.
> Come to think of it, a firewall that only allows TCP and UDP traffic
> and then denies any other IP traffic, including ICMP, is doing a great
> disservice to both itself, its internal network, and the Internet at
> large. This has been said many, many times in many forums, but still:
> some ICMP messages are not only beneficial, they are essential for
> the correct operation of the network. Firewalling all ICMP traffic
> is a very bad idea.
Agreed!
To those that want my rules... I will post them tonight, when I can make sure
that they are actually working. From memory I was adding a "allow esp" rule
temporarilly when I needed vpn support.
-D
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]