2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / doc / firewall.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE> Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>
<BODY>
<A HREF="toc.html">Contents</a>
<A HREF="manpages.html">Previous</a>
<A HREF="trouble.html">Next</a>
<HR>
<H1><A name="firewall">FreeS/WAN and firewalls</A></H1>
<P> FreeS/WAN, or other IPSEC implementations, frequently run on 
gateway  machines, the same machines running firewall or packet 
filtering code. This  document discusses the relation between the two.</P>
<H2><A name="packets">IPSEC packets</A></H2>
<P>IPSEC uses three main types of packet:</P>
<DL>
<DT><A href="glossary.html#IKE">IKE</A> uses <STRONG>the UDP protocol 
and port  500</STRONG>.</DT>
<DD>Unless you are using only (less secure, not recommended) manual 
 keying, you need IKE to negotiate connection parameters, acceptable 
 algorithms, key sizes and key setup. IKE handles everything required 
 to set up, rekey, repair or tear down IPSEC connections.</DD>
<DT><A href="glossary.html#ESP">ESP</A> is <STRONG>protocol number 50</STRONG>
</DT>
<DD>This is required for encrypted connections.</DD>
<DT><A href="glossary.html#AH">AH</A> is <STRONG>protocol number 51</STRONG>
</DT>
<DD>This can be used where only authentication, not encryption, is 
 required. That can also be done with ESP and null encryption.</DD>
</DL>
<P> All of those packets should have appropriate IPSEC gateway 
addresses in both the to and from IP header fields. Firewall rules can 
check this if you wish, though it is not strictly necessary. This is 
discussed in more detail <A href="#unknowngate">later</A>. </P>
<P> IPSEC processing of incoming packets authenticates them then 
removes the ESP or AH header and decrypts if necessary. Successful 
processing exposes an inner packet which is then delivered back to the 
firewall machinery, marked as having arrived on an <VAR>ipsec[0-3]</VAR>
 interface. Firewall rules can use that interface label to distinguish 
these packets from unencrypted packets which are labelled with the 
physical interface they arrived on (or perhaps with a non-IPSEC virtual 
interface such as <VAR>ppp0</VAR>).</P>
<P> One of our users sent a mailing list message with a <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00006.html">
diagram</A> of the packet flow. </P>
<H3><A name="noport">ESP and AH do not have ports</A></H3>
<P> Some protocols, such as TCP and UDP, have the notion of ports. 
Others protocols, including ESP and AH, do not. Quite a few IPSEC 
newcomers have  become confused on this point. There are no ports <EM>in</EM>
 the ESP or AH  protocols, and no ports used <EM>for</EM> them. For 
these protocols, <EM>the  idea of ports is completely irrelevant</EM>.</P>
<H3><A name="header">Header layout</A></H3>
<P>The protocol numbers for ESP or AH are used in the 'next header' 
field of  the IP header. On most non-IPSEC packets, that field would 
have one of:</P>
<UL>
<LI>1 for ICMP</LI>
<LI>4 for IP-in-IP encapsulation</LI>
<LI>6 for TCP</LI>
<LI>17 for UDP</LI>
<LI>... or one of about 100 other possibilities listed by <A href="http://www.isi.edu/in-notes/iana/assignments/protocol-numbers">
IANA</A></LI>
</UL>
<P>Each header in the sequence tells what the next header will be. 
IPSEC  adds headers for ESP or AH near the beginning of the sequence. 
The original  headers are kept and the 'next header' fields adjusted so 
that all headers  can be correctly interpreted.</P>
<P>For example, using <STRONG>[</STRONG><STRONG> ]</STRONG> to indicate 
data  protected by ESP and unintelligible to an eavesdropper between 
the  gateways:</P>
<UL>
<LI>a simple packet might have only IP and TCP headers with: 
<UL>
<LI>IP header says next header --&gt; TCP</LI>
<LI>TCP header port number --&gt; which process to send data to</LI>
<LI>data</LI>
</UL>
</LI>
<LI>with ESP <A href="glossary.html#transport">transport mode</A>
 encapsulation, that  packet would have: 
<UL>
<LI>IP header says next header --&gt; ESP</LI>
<LI>ESP header <STRONG>[</STRONG> says next --&gt; TCP</LI>
<LI>TCP header port number --&gt; which process to send data to</LI>
<LI>data <STRONG>]</STRONG></LI>
</UL>
 Note that the IP header is outside ESP protection, visible to an 
 attacker, and that the final destination must be the gateway.</LI>
<LI>with ESP in <A href="glossary.html#tunnel">tunnel mode</A>, we 
might have: 
<UL>
<LI>IP header says next header --&gt; ESP</LI>
<LI>ESP header <STRONG>[</STRONG> says next --&gt; IP</LI>
<LI>IP header says next header --&gt; TCP</LI>
<LI>TCP header port number --&gt; which process to send data to</LI>
<LI>data <STRONG>]</STRONG></LI>
</UL>
 Here the inner IP header is protected by ESP, unreadable by an 
attacker.  Also, the inner header can have a different IP address than 
the outer IP  header, so the decrypted packet can be routed from the 
IPSEC gateway to  a final destination which may be another machine.</LI>
</UL>
<P> Part of the ESP header itself is encrypted, which is why the <STRONG>
[</STRONG> indicating protected data appears in the middle of some 
lines above. The next header field of the ESP header is protected. This 
makes <A href="glossary.html#traffic">traffic analysis</A> more 
difficult. The next header field would tell an eavesdropper whether 
your packet was UDP to the gateway, TCP to the gateway, or encapsulated 
IP. It is better not to give this information away. A clever attacker 
may deduce some of it from the pattern of packet sizes and timings, but 
we need not make it easy. </P>
<P> IPSEC allows various combinations of these to match local policies, 
including combinations that use both AH and ESP headers or that nest 
multiple copies of these headers.</P>
<P> For example, suppose my employer has an IPSEC VPN running between 
two offices so all packets travelling between the gateways for those 
offices are encrypted. If gateway policies allow it (The admins could 
block UDP 500 and protocols 50 and 51 to disallow it), I can build an 
IPSEC tunnel from my desktop to a machine in some remote office. Those 
packets will have one ESP header throughout their life, for my 
end-to-end tunnel. For part of the route, however, they will also have 
another ESP layer for the corporate VPN's encapsulation. The whole 
header scheme for a packet on the Internet might be:</P>
<UL>
<LI>IP header (with gateway address) says next header --&gt; ESP</LI>
<LI>ESP header <STRONG>[</STRONG> says next --&gt; IP</LI>
<LI>IP header (with receiving machine address) says next header --&gt;  ESP</LI>
<LI>ESP header <STRONG>[</STRONG> says next --&gt; TCP</LI>
<LI>TCP header port number --&gt; which process to send data to</LI>
<LI>data <STRONG>]]</STRONG></LI>
</UL>
<P> The first ESP (outermost) header is for the corporate VPN. The 
inner ESP header is for the secure machine-to-machine link.</P>
<H2><A name="filters">Filtering rules for IPSEC packets</A></H2>
<P> As a consequence of the above, an IPSEC gateway should have packet 
filters that allow the following protocols when talking to other IPSEC 
gateways:</P>
<UL>
<LI>UDP port 500</LI>
<LI>protocol 50 if you use ESP encryption and/or authentication (the 
 typical case)</LI>
<LI>protocol 51 if you use AH packet-level authentication</LI>
</UL>
<P> Your gateway and the other IPSEC gateways it communicates with must 
be able to exchange these packets for IPSEC to work. Firewall rules 
must allow UDP 500 and at least one of AH or ESP on the interface that 
communicates with the other gateway. </P>
<H3><A name="through">IPSEC <EM>through</EM></A> the gateway</H3>
<P> The preceeding paragraph deals with packets <EM>addressed to or 
sent from  your gateway</EM>. It is a separate policy decision whether 
to permit such  packets to pass <EM>through</EM> the gateway so that 
client machines can  build end-to-end IPSEC tunnels of their own. This 
may not be practical if  you are using <A href="#NAT">NAT (IP 
masquerade)</A> on your gateway, and  may conflict with some corporate 
security policies. Other than that, it is  likely a good idea.</P>
<H3><A name="ipsec_only">Preventing non-IPSEC traffic</A></H3>
 You can of course also filter <EM>everything but</EM> UDP port 500 and 
ESP or AH to restrict traffic to IPSEC only, either for anyone 
communicating with your host or just for specific partners. 
<H3><A name="unknowngate">Filtering packets from unknown gateways</A></H3>
<P> It is possible to use firewall rules to restrict UDP 500, ESP and 
AH packets so that these packets are accepted only from known gateways. 
This is not strictly necessary since FreeS/WAN will discard packets 
from unknown gateways. You might, however, want to do it for any of a 
number of reasons. For example:</P>
<UL>
<LI>Arguably, &quot;belt and suspenders&quot; is the sensible approach to 
security.  If you can block a potential attack in two ways, use both. 
The only  question is whether to look for a third way after 
implementing the first  two.</LI>
<LI>Some admins may prefer to use the firewall code this way because 
they  prefer firewall logging to FreeS/WAN's logging.</LI>
<LI>You may need it to implement your security policy. Consider an 
 employee working at home, and a policy that says traffic from the home 
 system to the Internet at large must go first via IPSEC to the 
corporate  LAN and then out to the Internet via the corporate firewall. 
One way to  do that is to make <VAR>ipsec0</VAR> the default route on 
the home  gateway and provide exceptions only for UDP 500 and ESP to 
the corporate  gateway. Everything else is then routed via the tunnel 
to the corporate  gateway.</LI>
</UL>
<P>It is not possible to use only static firewall rules for this 
filtering  if you do not know the other gateways' IP addresses in 
advance, for example  if you have &quot;road warriors&quot; who may connect from 
a different address each  time or if want to do <A href="glossary.html#carpediem">
opportunistic encryption</A> to  arbitrary gateways. In these cases, 
you can accept UDP 500 IKE packets from  anywhere, then use the <A href="#updown">
updown</A> script feature of <A href="manpage.d/ipsec_pluto.8.html">
pluto(8)</A> to dynamically adjust  firewalling for each negotiated 
tunnel.</P>
<P>Firewall packet filtering does not much reduce the risk of a <A href="glossary.html#DOS">
denial of service attack</A> on FreeS/WAN. The firewall can drop 
 packets from unknown gateways, but KLIPS does that quite efficiently 
anyway,  so you gain little. The firewall cannot drop otherwise 
legitmate packets  that fail KLIPS authentication, so it cannot protect 
against an attack  designed to exhaust resources by making FreeS/WAN 
perform many expensive  authentication operations.</P>
<P>In summary, firewall filtering of IPSEC packets from unknown 
gateways is  possible but not strictly necessary.</P>
<H2><A name="otherfilter">Other packet filters</A></H2>
<P>When the IPSEC gateway is also acting as your firewall, other packet 
 filtering rules will be in play. In general, those are outside the 
scope of  this document. See our <A href="web.html#firewall">Linux 
firewall links</A> for  information. There are a few types of packet, 
however, which can affect the  operation of FreeS/WAN or of diagnostic 
tools commonly used with it. These  are discussed below.</P>
<H3><A name="ICMP">ICMP filtering</A></H3>
<P><A href="glossary.html#ICMP">ICMP</A> is the <STRONG>I</STRONG>
nternet <STRONG>C</STRONG>ontrol <STRONG>M</STRONG>essage <STRONG>P</STRONG>
rotocol. It is used for messages between IP implementations themselves, 
whereas IP used is used between the clients of those implementations. 
ICMP is, unsurprisingly, used for control messages. For example, it is 
used to notify a sender that a desination is not reachable, or to tell 
a router to reroute certain packets elsewhere. </P>
<P> ICMP handling is tricky for firewalls. </P>
<UL>
<LI>You definitely want some ICMP messages to get through; things won't 
work without them. For example, your clients need to know if some 
destination they ask for is unreachable. </LI>
<LI>On the other hand, you do equally definitely do not want untrusted 
folk sending arbitrary control messages to your machines. Imagine what 
someone moderately clever and moderately malicious could do to you, 
given control of your network's routing. </LI>
</UL>
<P>ICMP does not use ports. Messages are distinguished by a &quot;message 
type&quot;  field and, for some types, by an additional &quot;code&quot; field. The 
definitive  list of types and codes is on the <A href="http://www.isi.edu/in-notes/iana/assignments/icmp-parameters">
IANA</A> site.</P>
<P>One expert uses this definition for ICMP message types to be dropped 
at  the firewall.</P>
<PRE>
# ICMP types which lack socially redeeming value.
#  5     Redirect
#  9     Router Advertisement
# 10     Router Selection
# 15     Information Request
# 16     Information Reply
# 17     Address Mask Request
# 18     Address Mask Reply

badicmp='5 9 10 15 16 17 18'
</PRE>
<P> A more conservative approach would be to make a list of allowed 
types and drop everything else.</P>
<P>Whichever way you do it, your ICMP filtering rules on a FreeS/WAN 
gateway  should allow at least the following ICMP packet types:</P>
<DL>
<DT>echo (type 8)</DT>
<DD>
<DT>echo reply (type 0)</DT>
<DD>These are used by ping(1). We recommend allowing both types through 
 the tunnel and to or from your gateway's external interface, since 
 ping(1) is an essential testing tool. </DD>
<P>It is fairly common for firewalls to drop ICMP echo packets 
 addressed to machines behind the firewall. If that is your policy, 
 please create an exception for such packets arriving via an IPSEC 
 tunnel, at least during intial testing of those tunnels.</P>
<DT>destination unreachable (type 3)</DT>
<DD>This is used, with code 4 (Fragmentation Needed and Don't Fragment 
 was Set) in the code field, to control <A href="glossary.html#pathMTU">
path MTU  discovery</A>. Since IPSEC processing adds headers, enlarges 
packets  and may cause fragmentation, an IPSEC gateway should be able 
to send  and receive these ICMP messages <STRONG>on both inside and 
outside  interfaces</STRONG>.</DD>
</DL>
<H3><A name="traceroute">UDP packets for traceroute</A></H3>
<P> The traceroute(1) utility uses UDP port numbers from 33434 to 
approximately 33633. Generally, these should be allowed through for 
troubleshooting.</P>
<P> Some firewalls drop these packets to prevent outsiders exploring 
the protected network with traceroute(1). If that is your policy, 
consider creating an exception for such packets arriving via an IPSEC 
tunnel, at least during intial testing of those tunnels.</P>
<H3><A name="l2tp">UDP for L2TP</A></H3>
 Windows 2000 does, and products designed for compatibility with it 
may, build <A href="glossary.html#L2TP">L2TP</A> tunnels over IPSEC 
connections. 
<P> For this to work, you must allow UDP protocol 1701 packets coming 
out of your tunnels to continue to their destination. You can, and 
probably should, block such packets to or from your external 
interfaces, but allow them from <VAR>ipsec0</VAR>. </P>
<P> See also our Windows 2000 <A href="interop.html#win2k">
interoperation discussion</A>. </P>
<H2><A name="NAT">IPSEC and NAT</A></H2>
<P><A href="glossary.html#NAT"> Network Address Translation</A>, also 
known as IP masquerading, is a method of allocating IP addresses 
dynamically, typically in circumstances where the total number of 
machines which need to access the Internet exceeds the supply of IP 
addresses.</P>
<P> Any attempt to perform NAT operations on IPSEC packets <EM>between 
the  IPSEC gateways</EM> creates a basic conflict:</P>
<UL>
<LI>IPSEC wants to authenticate packets and ensure they are unaltered 
on a  gateway-to-gateway basis</LI>
<LI>NAT rewrites packet headers as they go by</LI>
<LI>IPSEC authentication fails if packets are rewritten anywhere 
between  the IPSEC gateways</LI>
</UL>
 For <A href="glossary.html#AH">AH</A>, which authenticates parts of 
the packet header including source and destination IP addresses, this 
is fatal. If NAT changes those fields, AH authentication fails. 
<P> For <A href="glossary.html#IKE">IKE</A> and <A href="glossary.html#ESP">
ESP</A> it is not necessarily fatal, but is certainly an unwelcome 
complication. </P>
<H3><A name="nat_ok">NAT on or behind the IPSEC gateway works</A></H3>
<P> This problem can be avoided by having the masquerading take place <EM>
on or behind</EM> the IPSEC gateway. </P>
<P> This can be done physically with two machines, one physically 
behind the other. A picture, using SG to indicate IPSEC <STRONG>S</STRONG>
ecurity <STRONG>G</STRONG>ateways, is: </P>
<PRE>
      clients --- NAT ----- SG ---------- SG
                  two machines
</PRE>
<P> In this configuration, the actual client addresses need not be 
given in the <VAR>leftsubnet=</VAR> parameter of the FreeS/WAN 
connection description. The security gateway just delivers packets to 
the NAT box; it needs only that machine's address. What that machine 
does with them does not affect FreeS/WAN. </P>
<P> A more common setup has one machine performing both functions:</P>
<PRE>
      clients ----- NAT/SG ---------------SG
                  one machine
</PRE>
 Here you have a choice of techniques depending on whether you want to 
make your client subnet visible to clients on the other end: 
<UL>
<LI>If you want the single gateway to behave like the two shown above, 
with your clients hidden behind the NAT, then omit the <VAR>leftsubnet=</VAR>
 parameter. It then defaults to the gateway address. Clients on the 
other end then talk via the tunnel only to your gateway. The gateway 
takes packets emerging from the tunnel, applies normal masquerading, 
and forwards them to clients. </LI>
<LI>If you want to make your client machines visible, then give the 
client subnet addresses as the <VAR>leftsubnet=</VAR> parameter in the 
connection description and 
<DL>
<DT>either </DT>
<DD>set <VAR>leftfirewall=yes</VAR> to use the default <VAR>updown</VAR>
 script </DD>
<DT>or </DT>
<DD>use your own script by giving its name in a <VAR>leftupdown=</VAR>
 parameter </DD>
</DL>
 These scripts are described in their own <A href="#updown">section</A>
. </LI>
<P> In this case, no masquerading is done. Packets to or from the 
client subnet are encrypted or decrypted without any change to their 
client subnet addresses, although of course the encapsulating packets 
use gateway addresses in their headers. Clients behind the right 
security gateway see a route via that gateway to the left subnet.</P>
</UL>
<H3><A name="nat_bad">NAT between gateways is problematic</A></H3>
<P> We recommend not trying to build IPSEC connections which pass 
through a NAT machine. This setup poses problems:</P>
<PRE>
      clients --- SG --- NAT ---------- SG
</PRE>
 If you must try it, some references are: 
<UL>
<LI>Jean_Francois Nadeau's document on doing <A href="http://jixen.tripod.com/#NATed gateways">
IPSEC behind NAT</A></LI>
<LI><A href="web.html#VPN.masq">VPN masquerade patches</A> to make a 
Linux NAT box handle IPSEC packets correctly </LI>
</UL>
<H3><A name="">Other references on NAT and IPSEC</A></H3>
 Other documents which may be relevant include: 
<UL>
<LI>an Internet Draft on <A href="http://search.ietf.org/internet-drafts/draft-aboba-nat-ipsec-04.txt">
IPSEC and NAT</A> which may eventually evolve into a standard solution 
for this problem. </LI>
<LI>an informational <A href="http://www.cis.ohio-state.edu/rfc/rfc2709.txt">
RFC</A>, <CITE>Security Model with Tunnel-mode IPsec for NAT Domains</CITE>
. </LI>
<LI>an <A href="http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html">
article</A> in Cisco's <CITE>Internet Protocol Journal</CITE></LI>
</UL>
<H2><A name="updown">Calling firewall scripts, named in ipsec.conf(5)</A>
</H2>
<P> The <A href="manpage.d/ipsec.conf.5.html">ipsec.conf</A>
 configuration file has three pairs of parameters used to specify an 
interface between FreeS/WAN and firewalling code.</P>
<P> Note that using these is not required if you have a static firewall 
setup. In that case, you just set your firewall up at boot time (in a 
way that permits the IPSEC connections you want) and do not change it 
thereafter. Omit all the FreeS/WAN firewall parameters and FreeS/WAN 
will not attempt to adjust firewall rules at all. See <A href="#examplefw">
below</A> for some information on appropriate scripts. </P>
<P> However, if you want your firewall rules to change when IPSEC 
connections change, then you need to use these parameters. </P>
<H3><A name="pre_post">Scripts called at IPSEC start and stop</A></H3>
<P> One pair of parmeters are set in the <VAR>config setup</VAR>
 section of the <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>
 file and affect all connections:</P>
<DL>
<DT>prepluto=</DT>
<DD>
<DT>postpluto=</DT>
<DD>specify scripts to be called before our <A href="manpage.d/ipsec_pluto.8.html">
pluto(8)</A> IKE daemon is started and after it is stopped.</DD>
</DL>
 These parameters allow you to change firewall parameters whenever 
IPSEC is started or stopped. 
<P> They can also be used in other ways. For example, you might have <VAR>
prepluto</VAR> add a module to your kernel for the secure network 
interface or make a dialup connection, and then have <VAR>postpluto</VAR>
 remove the module or take the connection down. </P>
<H3><A name="up_down">Scripts called at connection up and down</A></H3>
<P> The other parameters are set in connection descriptions. They can 
be set in individual connection descriptions, and could even call 
different scripts for each connection for maximum flexibility. In most 
applications, however, it makes sense to use only one script and to 
call it from <VAR>conn %default</VAR> section so that it applies to all 
connections. </P>
<P> You can either set <VAR>[left|right]firewall=yes</VAR> to use our 
supplied default script or assign a name in a <VAR>[left|right]updown=</VAR>
 line to use your own script. </P>
<P> For details of when Pluto calls these scripts, what arguments it 
passes to them, and what the default script does with those arguments, 
see the <A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A> man 
page. </P>
<P> Note that <STRONG>only one of these should be used</STRONG>. You 
cannot sensibly use both. </P>
<H4><A name="">The default script</A></H4>
 We supply a default script named <VAR>_updown</VAR>. 
<DL>
<DT>leftfirewall=</DT>
<DD>
<DT>rightfirewall=</DT>
<DD>indicates that the gateway is doing firewalling and that <A href="manpage.d/ipsec_pluto.8.html">
pluto(8)</A> should poke holes in  the firewall as required. </DD>
</DL>
 Set these to <VAR>yes</VAR> and Pluto will call our default script <VAR>
 _updown</VAR> with appropriate arguments whenever it: 
<UL>
<LI>starts or stops IPSEC services</LI>
<LI>brings a connection up or down</LI>
</UL>
 The supplied default <VAR>_updown</VAR> script is appropriate for 
simple cases using the <VAR>ipfwadm(8)</VAR> firewalling package. 
<H4><A name="userscript">User-written scripts</A></H4>
 You can also write your own script and have Pluto call it. Just put 
the script's name in one of these <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A> lines: 
<DL>
<DT>leftupdown=</DT>
<DD>
<DT>rightupdown=</DT>
<DD>specifies a script to call instead of our default script <VAR>
 _updown</VAR>.</DD>
</DL>
 Your script should take the same arguments and use the same 
environment variables as <VAR>_updown</VAR>. These are described in the <A
href="manpage.d/ipsec_pluto.8.html">pluto(8)</A> man page. 
<P> In developing your own script, you can of course use our scripts 
(either the default _updown or the ipchains-based example given <A href="#exupdownchains">
below</A>) as a starting point. Note, however, that <STRONG>you should 
not modify our _updown script in place</STRONG>. If you did that, then 
upgraded FreeS/WAN, the upgrade would install a new default script, 
overwriting your changes. </P>
<H3><A name="ipchains.script">Scripts for ipchains</A></H3>
<P> Our <VAR>_updown</VAR> is for firewalls using <VAR>ipfwadm(8)</VAR>
. If you are using the more recent package <VAR>ipchains(8)</VAR>, you 
must do one of: </P>
<UL>
<LI>use static firewall rules which require no change for FreeS/WAN </LI>
<LI>limit yourself to ipchains(8)'s ipfwadm(8) emulation mode in  order 
to use our script </LI>
<LI>write your own script and call it with <VAR>leftupdown</VAR> and <VAR>
 rightupdown</VAR>. </LI>
</UL>
<P> We provide an <A href="#exupdownchains">example script</A> for use 
 with ipchains(8) below.</P>
<H3><A name="dhr">DHR on the updown script</A></H3>
<P> Here are some mailing list comments from <A href="manpage.d/ipsec_pluto.8.html">
pluto(8)</A> developer Hugh Redelmeier on an earlier draft of this 
document:</P>
<PRE>
There are many important things left out

- firewalling is important but must reflect (implement) policy.  Since
  policy isn't the same for all our customers, and we're not experts,
  we should concentrate on FW and MASQ interactions with FreeS/WAN.

- we need a diagram to show packet flow WITHIN ONE MACHINE, assuming
  IKE, IPsec, FW, and MASQ are all done on that machine.  The flow is
  obvious if the components are run on different machines (trace the
  cables).

  IKE input:
        + packet appears on public IF, as UDP port 500
        + input firewalling rules are applied (may discard)
        + Pluto sees the packet.

  IKE output:
        + Pluto generates the packet &amp; writes to public IF, UDP port 500
        + output firewalling rules are applied (may discard)
        + packet sent out public IF

  IPsec input, with encapsulated packet, outer destination of this host:
        + packet appears on public IF, protocol 50 or 51.  If this
          packet is the result of decapsulation, it will appear
          instead on the paired ipsec IF.
        + input firewalling rules are applied (but packet is opaque)
        + KLIPS decapsulates it, writes result to paired ipsec IF
        + input firewalling rules are applied to resulting packet
          as input on ipsec IF
        + if the destination of the packet is this machine, the
          packet is passed on to the appropriate protocol handler.
          If the original packet was encapsulated more than once
          and the new outer destination is this machine, that
          handler will be KLIPS.
        + otherwise:
          * routing is done for the resulting packet.  This may well
            direct it into KLIPS for encoding or encrypting.  What
            happens then is described elsewhere.
          * forwarding firewalling rules are applied
          * output firewalling rules are applied
          * the packet is sent where routing specified

 IPsec input, with encapsulated packet, outer destination of another host:
        + packet appears on some IF, protocol 50 or 51
        + input firewalling rules are applied (but packet is opaque)
        + routing selects where to send the packet
        + forwarding firewalling rules are applied (but packet is opaque)
        + packet forwarded, still encapsulated

  IPsec output, from this host or from a client:
        + if from a client, input firewalling rules are applied as the
          packet arrives on the private IF
        + routing directs the packet to an ipsec IF (this is how the
          system decides KLIPS processing is required)
        + if from a client, forwarding firewalling rules are applied
        + KLIPS eroute mechanism matches the source and destination
          to registered eroutes, yielding a SPI group.  This dictates
          processing, and where the resulting packet is to be sent
          (the destinations SG and the nexthop).
        + output firewalling is not applied to the resulting
          encapsulated packet

- Until quite recently, KLIPS would double encapsulate packets that
  didn't strictly need to be.  Firewalling should be prepared for
  those packets showing up as ESP and AH protocol input packets on
  an ipsec IF.

- MASQ processing seems to be done as if it were part of the
  forwarding firewall processing (this should be verified).

- If a firewall is being used, it is likely the case that it needs to
  be adjusted whenever IPsec SAs are added or removed.  Pluto invokes
  a script to do this (and to adjust routing) at suitable times.  The
  default script is only suitable for ipfwadm-managed firewalls.  Under
  LINUX 2.2.x kernels, ipchains can be managed by ipfwadm (emulation),
  but ipchains more powerful if manipulated using the ipchains command.
  In this case, a custom updown script must be used.

  We think that the flexibility of ipchains precludes us supplying an
  updown script that would be widely appropriate.
</PRE>
 We do provide a sample script in the next section. It is essentially a 
transliteration of the version we supply for ipfwadm. Because it 
doesn't process the command line argument, it cannot be directly 
subsituted -- it won't support the semantics of *firewall=no. It can be 
used in <VAR>[left|right]updown=</VAR>. 
<H3><A name="exupdownchains">Example updown script for ipchains</A></H3>
<P> Here is an example updown script for use with ipchains. It is 
intended to be called via an <VAR>updown=</VAR> statement in <A href="manpage.d/ipsec.conf.5.html">
 ipsec.conf</A>. </P>
<PRE>
#! /bin/sh
# sample updown script for ipchains
# Copyright (C) 2000  D. Hugh Redelmeier, Henry Spencer
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See .
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: firewall.html,v 1.20 2001/06/12 05:14:54 sandy Exp $

# check interface version
case &quot;$PLUTO_VERSION&quot; in
1.0)    ;;
*)      echo &quot;$0: unknown interface version \`$PLUTO_VERSION'&quot; &gt;2        exit 2
        ;;
esac

# check parameter(s)
case &quot;$*&quot; in
'')     ;;
*)      echo &quot;$0: parameters unexpected&quot; &gt;2        exit 2
        ;;
esac

# utility functions for route manipulation
# Meddling with this stuff should never be necessary and is most unwise.
uproute() {
        route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
                dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}
downroute() {
        route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
                dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}

# the big choice
case &quot;$PLUTO_VERB&quot; in
prepare-host|prepare-client)
        # delete possibly-existing route (preliminary to adding a route)
        oops=&quot;`route del -net $PLUTO_PEER_CLIENT_NET \
                                        netmask $PLUTO_PEER_CLIENT_MASK 2&gt;1&quot;
        status=&quot;$?&quot;
        if test &quot; $oops&quot; = &quot; &quot; -a &quot; $status&quot; != &quot; 0&quot;
        then
                oops=&quot;silent error in route command, exit status $status&quot;
        fi
        case &quot;$oops&quot; in
        'SIOCDELRT: No such process')
                # This is what route (currently -- not documented!) gives
                # for &quot;could not find such a route&quot;.
                status=0
                ;;
        esac
        exit $status
        ;;
route-host|route-client)
        # connection to this host or client being routed
        uproute
        ;;
unroute-host|unroute-client)
        # connection to this host or client being unrouted
        downroute
        ;;
up-host)
        # connection to this host coming up
        ;;
down-host)
        # connection to this host going down
        ;;
up-client)
        # connection to client subnet, through forwarding firewall, coming up
        ipchains -I forward -j ACCEPT -b \
                -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
down-client)
        # connection to client subnet, through forwarding firewall, going down
        ipchains -D forward -j ACCEPT -b \
                -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
*)      echo &quot;$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'&quot; &gt;2        exit 1
        ;;
esac</PRE>
<H2><A name="examplefw">Ipchains firewall configuration at boot</A></H2>
<P> It is also possible to set up both firewalling and IPSEC with 
appropriate scripts at boot and then not use <VAR>leftupdown=</VAR> and <VAR>
rightupdown=</VAR>, or use them only for simple up and down operations.</P>
<P> Basically, the technique is </P>
<UL>
<LI>allow IPSEC packets (typically, IKE on UDP port 500 plus ESP, 
protocol 50) 
<UL>
<LI>incoming, if the destination address is your gateway (and 
optionally, only from known senders) </LI>
<LI>outgoing, with the from address of your gateway (and optionally, 
only to known receivers) </LI>
</UL>
</LI>
<LI>let <A href="glossary.html#Pluto">Pluto</A> deal with IKE </LI>
<LI>let <A href="glossary.html#KLIPS">KLIPS</A> deal with ESP </LI>
<LI>if necessary, filter incoming packets emerging from KLIPS. </LI>
</UL>
<P> Firewall rules can recognise packets emerging from IPSEC. They are 
marked as arriving on an interface such as <VAR>ipsec0</VAR>, rather 
than <VAR>eth0</VAR>, <VAR>ppp0</VAR> or whatever. </P>
<P> While it is possible to create such rules yourself (please let us 
know via the <A href="mail.html">mailing list</A> if you do), it may be 
both easier and more secure to use a set which has already been 
published and tested. Those we know of are described below. </P>
<H3><A name="Ranch.trinity">Scripts based on Ranch's work</A></H3>
<P> One user, Rob Hutton, posted his boot time scripts to the mailing 
list, and we included them in previous versions of this documentation. 
They are still available from our <A href="http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/firewall.html#examplefw">
web site</A>. However, they were for an earlier FreeS/WAN version so we 
no longer recommend them. Also, they had some bugs. See this <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00316.html">
message</A>. </P>
<P> Those scripts were based on David Ranch's scripts for his &quot;Trinity 
OS&quot; for setting up a secure Linux. Check his <A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html">
home page</A> for the latest version and for information on his <A href="biblio.html#ranch">
book</A> on securing Linux. If you are going to base your firewalling 
on Ranch's scripts, we recommend using his latest version, and sending 
him any IPSEC modifications you make for incorporation into later 
versions.</P>
<H3><A name="seawall">The Seattle firewall</A></H3>
 We have had several mailing lists reports of good results using 
FreeS/WAN with Seawall (the Seattle Firewall). See that project's <A href="http://seawall.sourceforge.net/">
home page</A> on Sourceforge. 
<H3><A name="rcf">The RCF scripts</A></H3>
 Another set of firewall scripts with IPSEC support are the RCF or 
rc.firewall scripts. See their <A href="http://jsmoriss.mvlan.net/linux/rcf.html">
home page</A>. <HR>
<A HREF="toc.html">Contents</a>
<A HREF="manpages.html">Previous</a>
<A HREF="trouble.html">Next</a>
</BODY>
</HTML>