Re: [Shorewall-users] IPSec Tunneling

Fri, 15 Dec 2017 06:47:01 -0800 

I'll look at what you say below Bill.

But keep in mind that the attacks I'm concerned about are typically
buffer overflows and other sideband attacks.  Directness rarely succeeds
in hacking these days.  There are always unknown vulns.

I'm suspicioning that the reason Tom says that only the router can
sponsor the ipsec gateway, is that ports other than 4500 are used,
although he doesn't specify.  I know that at least with LibreSwan there
is a setting to constrain it to 4500 for this reason.  Not sure about
StrongSwan, but I'll look into it today.


On 12/14/2017 11:14 PM, Bill Shirley wrote:
> This statement sounds like you think that if your IPSEC is
> compromised, the h@x0r will
> now have a session on the system (VM or native).  Even if someone
> could inject traffic,
> it would be just a decrypted packet with a SRC= and a DST= that still
> needs to be routed.
> That packet must pass the rules.  VM or not, how do you determine a
> packet is invalid?
>
> If you're specific in tunnels with the GATEWAY column, a foreign
> packet will not be accepted.
> #TYPE                   ZONE GATEWAY(S)                      GATEWAY
> # ZONE(S)
> ?COMMENT siteA tunnel
> ipsec                   inet    xxx.yyy.zzz.123
>
> Also, a foreign esp packet can also be dropped in the mangle
> PREROUTING chain:
> CONTINUE:P          xxx.yyy.zzz.123 this.fw.addr.456        esp    #
> my pal siteA
> DROP:P              -                    -          esp    # I don't
> know you!!
>
> Bill
>
> On 12/14/2017 5:55 PM, cac...@quantum-sci.com wrote:
>> Thanks. The reason I have this structure in mind is, if ipsec is
>> compromised, I want the ne'er-do-well to end up in a benign VM, -not-
>> the router.
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to