Creating a Firewall Rule Set

Packet Filtering

When a Client Gateway is Internet facing, it is typical to have firewall software running as well. It is important to remember that you must make allowances for IPSEC Client related traffic.

For example ..

A gateway is configured using our example racoon configuration file. Firewall rules have been added to allow Clients to communicate with the gateway.

# for pf

pass in proto udp from any to self port 500

pass in proto udp from any to self port 4500

pass in proto esp from any to self

# for ip tables

iptables -A INPUT -j ACCEPT -p udp --dport 500

iptables -A INPUT -j ACCEPT -p udp --dport 4500

iptables -A INPUT -j ACCEPT -p esp

A client connects, authenticates and establishes an IPSEC SA to allow traffic between 10.99.99.1 and 10.100.100.0/24. When it attempts to ping 10.100.100.1, it gets no reply. One likely cause is that there is no firewall rule to allow for this traffic to pass. Rules need to be added which allow the Client address network to communicate with the private network.

# for pf

pass quick from 10.99.99.0/24 to 10.100.100.0/24

pass quick from 10.100.100.0/24 to 10.99.99.0/24

# for ip tables

iptables -A FORWARD -j ACCEPT -s 10.99.99.0/24 -d 10.100.100.0/24

iptables -A FORWARD -j ACCEPT -s 10.100.100.0/24 -d 10.99.99.0/24

NOTE : These are just example rules to illustrate the point. An actual rule set should be written with much tighter security in mind.

Packet Fragmentation

Some firewalls require special handling for packet fragments. For instance, using pf or ipf on a BSD Gateway would require special features to be used to handle packet fragments in certain situations.

For pf, it may be necessary to use the 'scrub all fragment reassemble' option to handle VPN related traffic.

For ipf, it may be necessary to use the 'keep frags' modifier when specifying packet filtering rules for VPN related traffic.