Creating a Firewall Rule Set
When a Client Gateway is Internet facing, it is typical to have firewall software running as well. It is important to remember that you must make allowances for IPsec Client related traffic.
For example, suppose a gateway is configured using our example racoon configuration file. Firewall rules must be added to allow clients to communicate with the gateway.
pass in proto udp from any to self port 500
pass in proto udp from any to self port 4500
pass in proto esp from any to self
ip tables example:
iptables -A INPUT -j ACCEPT -p udp --dport 500
iptables -A INPUT -j ACCEPT -p udp --dport 4500
iptables -A INPUT -j ACCEPT -p esp
When a client connects, it will establish an IPsec SA to allow traffic from itself to the private network. Suppose that a connected client was assigned a private address of 10.99.99.1 and attempts to communicate with the 10.100.100.0/24 network. If the client can transmit packets but receives no response, one likely cause is that the gateway firewall is blocking the traffic. A rule could be added which allows the client address range to communicate with the private network.
pass quick from 10.99.99.0/24 to 10.100.100.0/24
pass quick from 10.100.100.0/24 to 10.99.99.0/24
ip tables example:
iptables -A FORWARD -j ACCEPT -s 10.99.99.0/24 -d 10.100.100.0/24
iptables -A FORWARD -j ACCEPT -s 10.100.100.0/24 -d 10.99.99.0/24
NOTE : These are just example rules to illustrate the point. An actual rule set should be written with much tighter security in mind.
Some firewalls require special handling for packet fragments. For instance, using pf or ipf on a BSD Gateway would require special features to be used to handle packet fragments in certain situations.
For pf, it may be necessary to use the 'scrub all fragment reassemble' option to handle VPN related traffic.
For ipf, it may be necessary to use the 'keep frags' modifier when specifying packet filtering rules for VPN related traffic.
Copyright © 2010, Shrew Soft Inc