Subject: IPSEC (was Re: does IPF/IPNat work on -current/i386?)
To: None <current-users@netbsd.org>
From: Wolfgang S. Rupprecht <wolfgang+gnus20040406T092134@dailyplanet.dontspam.wsrcc.com>
List: current-users
Date: 04/06/2004 09:45:29
Date: Tue, 06 Apr 2004 09:45:29 -0700
In-Reply-To: <20040404174025.EDB007B44@berkshire.research.att.com> (Steven
 M. Bellovin's message of "4 Apr 2004 17:40:24 GMT")
Message-ID: <x7vfkdf42e.fsf_-_@bonnet.wsrcc.com>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: current-users-owner@NetBSD.org


smb@research.att.com (Steven M. Bellovin) writes:
> I've turned off ipfilter on my 2.0beta machine -- and had to turn
> off several services I'd rather were on -- while waiting for a
> statement that the problem has been fixed.

I wonder if netbsd's ipsec subsystem could be used to do what ipf did.

What would be needed is a good set of examples of how to set up the
hosts on a local network to block most external traffic yet allow
unrestricted access to certain services that are known to be safe.
eg.

    block all traffic to local ports less than port 49152 unless ipsec
          validates it as locally-originating traffic.

    allow all traffic to the ports for smtp,ssh,ntp,dns

The documentation on ipsec is a bit lacking.  I can't even tell if the
rules for matching are first-match, last-match, or most-specific
match.

-wolfgang