HI all,
First time poster looking for some help with a set of IPFW rules.
I have setup a strongswan VPN for IKEv2 on a FBSD host with unbound providing filtered DNS.
The rules had previously been tested and working; however, after a recent upgrade from 11.1 to 11.3p6 that functionality has stopped. I have looked at change notes for the releases and software packages (unbound/strongswan) but have not been able to spot a change that would brick this rule set. So turning to the forums for some help.
usage: Deny all, allow by exception. Allow remote hosts to VPN, serving up addresses in 10.99.99.0/24, and NAT traffic.
The VPN connects. I can reach the 10.99.99.0/24 network from VPN clients but nothing is going outbound from the host...
First time poster looking for some help with a set of IPFW rules.
I have setup a strongswan VPN for IKEv2 on a FBSD host with unbound providing filtered DNS.
The rules had previously been tested and working; however, after a recent upgrade from 11.1 to 11.3p6 that functionality has stopped. I have looked at change notes for the releases and software packages (unbound/strongswan) but have not been able to spot a change that would brick this rule set. So turning to the forums for some help.
usage: Deny all, allow by exception. Allow remote hosts to VPN, serving up addresses in 10.99.99.0/24, and NAT traffic.
Code:
IPF="ipfw -q add"
WAN="vtnet0"
WAN_IP="[YOUR IP HERE]"
strongSwanNetwork="10.99.99.0/24"
ipfw -q -f flush
/sbin/ipfw -q table all flush
#Establish NAT 1 config
/sbin/ipfw -q nat 1 config if $WAN unreg_only reset
#Loop back interfaces
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# Catch spoofing from outside.
$IPF 45 deny ip from any to any not antispoof via $WAN
#NAT Inbound
$IPF 100 nat 1 ip4 from any to any in via $WAN
$IPF 105 check-state
#allow ping
$IPF 120 allow icmp from any to me
#Allow DNS
$IPF 130 allow tcp from me to any 53 out xmit $WAN setup keep-state
$IPF 140 allow udp from me to any 53 out xmit $WAN keep-state
#Allow strongSwan network
$IPF 187 allow ip from any to $strongSwanNetwork
# NAT Outbound traffic allow
$IPF 200 skipto 10000 tcp from $strongSwanNetwork to any out xmit $WAN
$IPF 210 skipto 10000 udp from $strongSwanNetwork to any out xmit $WAN
$IPF 215 allow tcp from me to any out via $WAN setup keep-state
# Incoming Rules - SSH (22), other services as needed
$IPF 500 allow tcp from any to me 22 in recv $WAN setup keep-state
#Incoming Rules - StrongSwan
$IPF 1010 allow udp from any to me 500 in recv $WAN keep-state
$IPF 1011 allow udp from any to me 4500 in recv $WAN keep-state
$IPF 1012 allow esp from any to any
$IPF 1013 allow ah from any to any
$IPF 1014 allow ipencap from any to any
$IPF 1030 allow udp from any to me in recv $WAN frag
# NAT rule for outgoing packets.
$IPF 10000 nat 1 tag 10000 ip4 from any to any out via $WAN
$IPF 10010 allow tcp from any to any out via vtnet0 tagged 10000 setup keep-state
$IPF 10020 allow tcp from any to any out via vtnet0 tagged 10000 setup keep-state
$IPF 10030 allow icmp from any to any out via vtnet0 tagged 10000
# deny everything else
$IPF 65534 deny log all from any to any
The VPN connects. I can reach the 10.99.99.0/24 network from VPN clients but nothing is going outbound from the host...