IPFW configuration when doing EtherIP tunnel

[BioZ]

Hi!

I would kindly ask you for some help/advice in configuring IPFW.

I have two VMs with FreeBSD 9.0 installed.
On each machine:
There are two interfaces, em0 and em1.
em0 has public IP address assigned (a.b.c.d), while em1 has none.
There is a tunnel interface gif0 created (with target IP e.f.g.h).
There is a bridge interface bridge0 with members em1 and gif0.
I'm configuring them via SSH from IP i.j.k.l.

I would like to secure each machine at their em0 ("public") interface regarding following rules:
- accept incoming and outgoing EtherIP frames between those two endpoints
- allow to connect to the machine via SSH and to ping (ICMP and ARP is needed I think), from one IP address
- allow to ping (ICMP and ARP is needed I think) from the machine
- deny any other traffic

As far as I understand EtherIP implementation in FreeBSD, packets incoming at em1 will be sent through gif0 like regular packets, but it will be visible at em0 as EtherIP packets, right?
If so, then I thought of commands like those:

ipfw -q add allow etherip from e.f.g.h to a.b.c.d in via em0 #incoming EtherIP
ipfw -q add allow etherip from a.b.c.d to e.f.g.h out via em0 #outgoing EtherIP
ipfw -q add allow all from i.j.k.l to a.b.c.d in via em0 #for SSH and ping for me
ipfw -q add allow icmp from any to any out via em0 #for pings
ipfw -q add allow icmp from any to any in via em0 #for pings
ipfw -q add deny all from any to any #if every rule didn't match, the packet is not allowed

Is that more or less alright?
I'm starting with FreeBSD (UNIX at all), also such firewall tools are new to me.

Thanks in advance.
Regards,
Tomasz

 

[SirDice]

The gif(4) tunnel interface uses IP over IP. It cannot do Ethernet over IP.

What exactly are you trying to accomplish?

 

[BioZ]

:|
It has been told to me that it would do the work as EtherIP (old but simple solution for tunneling ethernet frames over IP).

Exactly I want to secure the machines on their "public" side from unwanted traffic and unauthorized people when it's about ssh.

Regards.

 

[BioZ]

Ah, I know where that information about EtherIP came from, bridge man page:

The bridge can tunnel Ethernet across an IP internet using the EtherIP
protocol. This can be combined with ipsec(4) to provide an encrypted
connection. Create a gif(4) interface and set the local and remote IP
addresses for the tunnel, these are reversed on the remote bridge.

ifconfig gif0 create
ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up
ifconfig bridge0 create
ifconfig bridge0 addm fxp0 addm gif0 up

Note that FreeBSD 6.1, 6.2, 6.3, 7.0, 7.1, and 7.2 have a bug in the
EtherIP protocol. For more details and workaround, see gif(4) manual
page.

 

[SirDice]

Exactly I want to secure the machines on their "public" side from unwanted traffic and unauthorized people when it's about ssh.

You don't need EtherIP. At all. You don't need a bridge either.

Install something like security/sshguard or security/py-fail2ban.

 

[BioZ]

Uh huh, sorry for being not precise.
For security I don't need EtherIP, you're right.
But I want to have EtherIP tunnel established between two machines regardless to this security issue.

I'll take a look at those two tools, thanks!

Regards.

 

[SirDice]

But I want to have EtherIP tunnel established between two machines regardless to this security issue.

Why? Since they are both VMs why not put both machine's em1 in the same host-only network? That will allow you to communicate on layer 2 between them.

 

[BioZ]

Let's say, for educational purposes . They are hosted on two different servers as well.

Regards.

 

[SirDice]

The bit you copy/pasted from bridge(4) looks fairly straight forward.

 

[BioZ]

So I think that everything is clear for both of us and we have reached EoT .
I will try to work with sshguard.

Thanks again.
Regards.