IPF How to write IPSec 'ipf' rules, IP fragmenting of UDP -packets

E

escape

After installing Strongswan and testing a VPN connection with IPSec, the firewall blocks the connections. Everything works without the firewall rules.
First comes an IP-packet with low order number of the frame. It has a UDP (17) number and it is a fragment. After this comes the actual UDP-packet with the information of the ESP payload. How to add this to the 'ipf' -rules?
There is a man page with information: man -S5 ipf, keyword "agment". I still can't get it to work. The fragment comes first and the UDP packet it belongs to, second. Some caching fragments maby exists. It should be possible to filter these. How to?
escape
 
I don't have a reply for you but IPF is very old and almost no one use it anymore. The only real reason this is still on base is because Juniper needs it and apparently this is very difficult to extract a firewall and move to ports; however work is being done to move it to ports.
 
Sorry I was a bit early with this. The 'ipf' did as was mentioned in the man page. I've seen new features in the 'ipf' from year 2019. It apparently looks like it has had some development. If it is going to be moved to the ports. Anyway the human factor with these operating systems is somewhat big and after all the VPN connection had some more to do than just this firewall issue.

The first test like this with all of the compromises the IPSec brings with the IP fragmentation worked. It could be refocused to the VPN server IP-addresses to prevent the malicious side effects it might bring with the reduced security.
Code: 
       block in all with frags
       pass in proto udp from any to any with frag-body
       pass in proto udp from any to any port = 500 with frags
       pass in proto udp from any to any port = 4500 with frags
It is easy to add more rules to this.

About the human factor. The *BSD:s have a lot of scripts that "should" work. I think sometimes Linux is better here, it is more educative. If the actual work encapsulates too much inside, it's troublesome to find out what it was if it does not work. It was not the case here. It is good to test in parts. It is good to remember to have the parts smaller.

The snippet is almost directly from the man page. It worked. The keywords "keep frags" "with frags" and "with frags-body" or in what subcommand they are used, in or out was not clearly listed. Proper testing would have helped here. I think the actual "problem" is solved. Ok, a bit early, I have spent some hours with this already. Thanks.

escape
 
You must log in or register to reply here.
Back
Top