DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th June 2008
ales ales is offline
New User
 
Join Date: May 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default Redirecting ESP packets

Hi!

One of the users inside our internal network would like to connect via checkpoint VPN software to an outside network. As far as i know we should forward ESP packets to his internal host in our network. Is that possible with pf and openbsd?
Reply With Quote
  #2   (View Single Post)  
Old 6th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Any IP protocol may be used with PF packet filtering rules and redirection rules. The protocol may be specified by number or by name, as defined in /etc/protocols. This includes ESP, IP protocol 50.

The definitive ruleset is in the man page for pf.conf(5). Guidelines and some "How To" information may be obtained from the PF User's Guide, and additional information may also be garnered from Peter Hansteen's recent publication, The Book of PF, which has been getting excellent reviews, and you may also find Jacek Artymiak's Building Firewalls with OpenBSD and PF helpful.
Reply With Quote
  #3   (View Single Post)  
Old 15th June 2008
ohauer ohauer is offline
Port Guard
 
Join Date: May 2008
Location: germany
Posts: 32
Thanked 2 Times in 2 Posts
Default

If the user use CheckPoint SecuRemote/SecureClient, it is easy to create the rules.

This passage is from the CheckPoint manual.

If a SecuRemote/SecureClients is located behind a non-Check Point firewall, the following ports must be opened on the firewall to allow SecuRemote/SecureClient traffic to pass:
Table 1-16 ports to open for non-Check Point firewalls port explanation
Code:
UDP port 500       | always, even if using IKE over TCP  
TCP port 500       | only if using IKE over TCP  
IP protocol 50 ESP | unless always using UDP encapsulation  
UDP port 2746      | configurable; only if using UDP encapsulation  
UDP port 259       | only if using MEP, interface resolving or interface High Availability
If you think this are to much, contact the Firewall Administrator at the CheckPoint side and ask if he supports Visitor Mode (HTTPS).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD, vpnc and packets forwarding problems Tritone OpenBSD General 3 2nd July 2009 09:59 PM
pfsense wireless AP - lost packets AndreyS FreeBSD General 0 7th June 2008 05:38 PM
IPF: Packets Out Of Window bram85 FreeBSD Security 9 2nd June 2008 04:09 PM


All times are GMT. The time now is 07:29 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick