DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,825
Thanked 214 Times in 189 Posts
Default Simplyfing complex IPSec or Firewall solutions -- such as NFS -- with gif(4)

The BSDs each have gif(4), a driver that provides a general purpose tunnel interface. You can add them whenever you want to encapsulate IP packets, and tunnel packets inside an outer IP packet. The man pages don't tell you what these are for, or why you would want to use them.

I find gif(4) tunnels helpful whenever I have a complex protocol that is difficult to define in firewall rules or in IPSec flow descriptions. It adds an extra IP header to my data packet, but that tradeoff is usually worth it to provide simple management solutions for what might otherwise be complex or unsolvable problems.

One example is NFS Version 3. It uses Remote Procedure Call programs and dynamic UDP or TCP port numbers, and the port numbers can be unpredictable. What if I wished to encrypt the NFS traffic between client an server, and only the NFS traffic? Or set up a firewall so that only NFS traffic was passed, but not other traffic? Without knowing the dynamic port numbers that will be used, that can be difficult.

Using gif(4), I don't need to know the port numbers. I don't even need to know if the traffic will use TCP or UDP. Instead, I just need to define tunneled, virtual IP addresses and direct all the NFS traffic to them. Then, I write my rules by gif(4) interface or virtual IP address.

For example, I have this gif(4) interface defined on this workstation I'm typing on:

/etc/hostname.gif0
Code:
tunnel 10.0.1.130 10.0.1.253
!ifconfig gif0 10.0.3.2 10.0.3.1 netmask 255.255.255.0
This results in the following pseudo-NIC:
Code:
gif0: flags=28051<UP,POINTOPOINT,RUNNING,MULTICAST,NOINET6> mtu 1280
    priority: 0
    groups: gif
    tunnel: inet 10.0.1.130 -> 10.0.1.253
    inet 10.0.3.2 --> 10.0.3.1 netmask 0xffffff00
The real addresses are defined by the tunnel endpoints, which are 10.0.1.130 and 10.0.1.253. The virtual, tunneled addresses are defined as point-to-point between 10.0.3.2 and 10.0.3.1.

The server I am using has a gif(4) configured the same way, but with reversed addresses:
Code:
gif0: flags=28051<UP,POINTOPOINT,RUNNING,MULTICAST,NOINET6> mtu 1280
    priority: 0
    groups: gif
    tunnel: inet 10.0.1.253 -> 10.0.1.130
    inet 10.0.3.1 --> 10.0.3.2 netmask 0xffffff00
The server's /etc/exports permits access from the virtual, tunnelled IP on the workstation.
Code:
/var /var/mail 10.0.3.2
The IPSec rules that define the flows are simple, too. These are from OpenBSD's IKEv2 iked(8) but a similar ruleset could also be applied using the IKEv1 tools:
Code:
ikev2  esp \
  from 10.0.3.1 to 10.0.3.2 srcid fw2.jggimi.homeip.net dstid netbook.jggimi.homeip.net
Key: There are only three PF rules that manage this traffic. The gif(4) drivers use IP-in-IP, IP protocol 4, known as ipencap in OpenBSD's /etc/protocols list. That is the only traffic that needs to be passed on the physical interface. On the gif(4) tunnel, I need to pass UDP port 500 for the Internet Key Exchange Protocol (IKE). It is used to manage automatic IPSec keying. I need to pass the IPSec encrypted packets themselves, which is IPSEC tunneling protocol esp.
Code:
#
# allow IPSec under a gif0 tunnel (used for NFS with netbook) 
# 

# 1. permit the gif0 traffic to be embedded on $internal_nic:
pass log on $internal_nic proto ipencap

# 2. permit IKE traffic on UDP port 500 (NAT-Traversal is not used):
pass log on gif0 proto udp from any port 500 to any port 500

# 3. permit IPSec on gif0:
pass log on gif0 proto esp
From my client I can mount the NFS filesystem via fstab(5) or mount(8), as long as I use the virtual 10.0.3.1 address, which I have pre-defined in my local DNS resolver as fw2-gif. Here is an example of monitoring a mail file with xbiff(1):
Code:
$ sudo mount fw2-gif:/var/mail /fw2
$ xbiff -file /fw2/jggimi -geometry -4-4 &
Commands/files shown are for OpenBSD. Other BSDs will have varying requirements for provisioning gif(4) interfaces, firewalls, and IPSec.

Last edited by jggimi; 3 Weeks Ago at 08:50 PM. Reason: clarity, typos, and a thinko
Reply With Quote
  #2   (View Single Post)  
Old 3 Weeks Ago
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 808
Thanked 36 Times in 32 Posts
Default

Fantastic post!!! It should be sticky. Working with NFS behind the firewall is royal pain in particularly on OpenBSD were there are no cheap hacks to restrict ports used by NFS.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Some help with IPSEC / VPN Daffy OpenBSD Security 1 9th November 2013 12:45 PM
pkgin accident...any known solutions? enoch82 Other BSD and UNIX/UNIX-like 1 28th April 2013 02:32 PM
IPSec VPN configuration? polken OpenBSD Security 8 29th May 2012 08:48 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM


All times are GMT. The time now is 06:34 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick