IPFW IPFW & NAT for strongswan VPN

P

privacywonk

HI all,

First time poster looking for some help with a set of IPFW rules.

I have setup a strongswan VPN for IKEv2 on a FBSD host with unbound providing filtered DNS.

The rules had previously been tested and working; however, after a recent upgrade from 11.1 to 11.3p6 that functionality has stopped. I have looked at change notes for the releases and software packages (unbound/strongswan) but have not been able to spot a change that would brick this rule set. So turning to the forums for some help.

usage: Deny all, allow by exception. Allow remote hosts to VPN, serving up addresses in 10.99.99.0/24, and NAT traffic.

Code: 
IPF="ipfw -q add"
WAN="vtnet0"
WAN_IP="[YOUR IP HERE]"
strongSwanNetwork="10.99.99.0/24"
ipfw -q -f flush
/sbin/ipfw -q table all flush

#Establish NAT 1 config
/sbin/ipfw -q nat 1 config if $WAN unreg_only reset

#Loop back interfaces
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# Catch spoofing from outside.
$IPF 45 deny ip from any to any not antispoof via $WAN

#NAT Inbound
$IPF 100 nat 1 ip4 from any to any in via $WAN
$IPF 105 check-state

#allow ping
$IPF 120 allow icmp from any to me

#Allow DNS
$IPF 130 allow tcp from me to any 53 out xmit $WAN setup keep-state
$IPF 140 allow udp from me to any 53 out xmit $WAN keep-state

#Allow strongSwan network
$IPF 187 allow ip from any to $strongSwanNetwork

# NAT Outbound traffic allow
$IPF 200 skipto 10000 tcp from $strongSwanNetwork to any out xmit $WAN
$IPF 210 skipto 10000 udp from $strongSwanNetwork to any out xmit $WAN
$IPF 215 allow tcp from me to any out via $WAN setup keep-state

# Incoming Rules - SSH (22), other services as needed
$IPF 500 allow tcp from any to me 22 in recv $WAN setup keep-state

#Incoming Rules - StrongSwan
$IPF 1010 allow udp from any to me 500 in recv $WAN keep-state
$IPF 1011 allow udp from any to me 4500 in recv $WAN keep-state
$IPF 1012 allow esp from any to any
$IPF 1013 allow ah from any to any
$IPF 1014 allow ipencap from any to any
$IPF 1030 allow udp from any to me in recv $WAN frag

# NAT rule for outgoing packets.
$IPF 10000 nat 1 tag 10000 ip4 from any to any out via $WAN
$IPF 10010 allow tcp from any to any out via vtnet0 tagged 10000 setup keep-state
$IPF 10020 allow tcp from any to any out via vtnet0 tagged 10000 setup keep-state
$IPF 10030 allow icmp from any to any out via vtnet0 tagged 10000

# deny everything else
$IPF 65534 deny log all from any to any

The VPN connects. I can reach the 10.99.99.0/24 network from VPN clients but nothing is going outbound from the host...
 
I went back and re-read the manual over coffee this morning looking for deltas. I made the following additions to the ruleset and now have traffic passing:

1. Added net.inet.tcp.tso="0" to /etc/sysctl.conf to disable TCP segmentation offloading (TSO)
2. Added /sbin/ipfw ipfw disable one_pass at top of the ruleset
3. Inserted $IPF 50 reass all from any to any in #Reassemble inbound packets
4. Modified rule 215 to $IPF 215 skipto 10000 tcp from me to any out via $WAN setup keep-state

Any suggested improvements for the rule set? Any weaknesses?
 
You probably will want to limit rules 1010-1014 so only your endpoints are able to connect to it. Or else you'll find a bunch of bots and scanners knocking at your door.

And make sure you have something in place to thwart (or otherwise annoy) bots trying to get in on your SSH, security/sshguard could help with that.
 
SirDice - thanks. Oh definitely, I also run SSH on a non-standard port (no reflected in this copy paste). It's amazing how much a little obscurity can go along way + some other tools for detect and defend.

One thing I have noticed with this configuration is absolutely abyssal throughput. When running a speed test through the vpn I am getting 0.58Mbps down and 19.1 Mbps up...continuing to research.
 
You must log in or register to reply here.
Back
Top