|
Guides All Guides and HOWTO's. |
|
Thread Tools | Display Modes |
|
||||
Simplyfing complex IPSec or Firewall solutions -- such as NFS -- with gif(4)
The BSDs each have gif(4), a driver that provides a general purpose tunnel interface. You can add them whenever you want to encapsulate IP packets, and tunnel packets inside an outer IP packet. The man pages don't tell you what these are for, or why you would want to use them.
I find gif(4) tunnels helpful whenever I have a complex protocol that is difficult to define in firewall rules or in IPSec flow descriptions. It adds an extra IP header to my data packet, but that tradeoff is usually worth it to provide simple management solutions for what might otherwise be complex or unsolvable problems. One example is NFS Version 3. It uses Remote Procedure Call programs and dynamic UDP or TCP port numbers, and the port numbers can be unpredictable. What if I wished to encrypt the NFS traffic between client an server, and only the NFS traffic? Or set up a firewall so that only NFS traffic was passed, but not other traffic? Without knowing the dynamic port numbers that will be used, that can be difficult. Using gif(4), I don't need to know the port numbers. I don't even need to know if the traffic will use TCP or UDP. Instead, I just need to define tunneled, virtual IP addresses and direct all the NFS traffic to them. Then, I write my rules by gif(4) interface or virtual IP address. For example, I have this gif(4) interface defined on this workstation I'm typing on: /etc/hostname.gif0 Code:
tunnel 10.0.1.130 10.0.1.253 !ifconfig gif0 10.0.3.2 10.0.3.1 netmask 255.255.255.0 Code:
gif0: flags=28051<UP,POINTOPOINT,RUNNING,MULTICAST,NOINET6> mtu 1280 priority: 0 groups: gif tunnel: inet 10.0.1.130 -> 10.0.1.253 inet 10.0.3.2 --> 10.0.3.1 netmask 0xffffff00 The server I am using has a gif(4) configured the same way, but with reversed addresses: Code:
gif0: flags=28051<UP,POINTOPOINT,RUNNING,MULTICAST,NOINET6> mtu 1280 priority: 0 groups: gif tunnel: inet 10.0.1.253 -> 10.0.1.130 inet 10.0.3.1 --> 10.0.3.2 netmask 0xffffff00 Code:
/var /var/mail 10.0.3.2 Code:
ikev2 esp \ from 10.0.3.1 to 10.0.3.2 srcid fw2.jggimi.homeip.net dstid netbook.jggimi.homeip.net Code:
# # allow IPSec under a gif0 tunnel (used for NFS with netbook) # # 1. permit the gif0 traffic to be embedded on $internal_nic: pass log on $internal_nic proto ipencap # 2. permit IKE traffic on UDP port 500 (NAT-Traversal is not used): pass log on gif0 proto udp from any port 500 to any port 500 # 3. permit IPSec on gif0: pass log on gif0 proto esp Code:
$ sudo mount fw2-gif:/var/mail /fw2 $ xbiff -file /fw2/jggimi -geometry -4-4 & Last edited by jggimi; 3rd November 2014 at 08:50 PM. Reason: clarity, typos, and a thinko |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Some help with IPSEC / VPN | Daffy | OpenBSD Security | 1 | 9th November 2013 12:45 PM |
pkgin accident...any known solutions? | enoch82 | Other BSD and UNIX/UNIX-like | 1 | 28th April 2013 02:32 PM |
IPSec VPN configuration? | polken | OpenBSD Security | 8 | 29th May 2012 08:48 PM |
Need Help Please About IPsec | wong_baru | FreeBSD Security | 2 | 21st June 2010 08:00 AM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |