Firewall Concerns

Previous  Next

---

When a Client Gateway is internet facing, it is typical to have firewall software running as well. It is important to remember that you must make allowances for IPSEC Client related traffic.

For example ..

A gateway is configured using our example racoon configuration file. Firewall rules have been added to allow Clients to communicate with the gateway.

# for pf

pass in proto udp from any to self port 500

pass in proto udp from any to self port 4500

pass in proto esp from any to self

# for ip tables

iptables -A INPUT -j ACCEPT -p udp --dport 500

iptables -A INPUT -j ACCEPT -p udp --dport 4500

iptables -A INPUT -j ACCEPT -p esp

A client connects, authenticates and establishes an IPSEC SA to allow traffic between 10.99.99.1 and 10.100.100.0/24. When it attempts to ping 10.100.100.1, it gets no reply. One likely cause is that there is no firewall rule to allow for this traffic to pass. Rules need to be added which allow the Client address network to communicate with the private network.

# for pf

pass quick from 10.99.99.0/24 to 10.100.100.0/24

pass quick from 10.100.100.0/24 to 10.99.99.0/24

# for ip tables

iptables -A FORWARD  -j ACCEPT -s 10.99.99.0/24 -d 10.100.100.0/24

iptables -A FORWARD  -j ACCEPT -s 10.100.100.0/24 -d 10.99.99.0/24

NOTE : These are just example rules to illustrate the point. An actual rule set could probably be written with much tighter security in mind.