Re: [Shorewall-users] DNAT and UDP

2017-12-29 Thread Tuomo Soini 
> Am I understanding correctly that Libreswan does -not- do NAT-T
> properly?  If so, is there some way to mitigate this?

Libreswan does nat-t just fine.

-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT and UDP

2017-12-28 Thread Colony.three via Shorewall-users 
> As one of the Libreswan authors I'd note it's "Libreswan" - no capital
> letters in the middle of the name, please.
>
> When suggesting manual keying, please note it is horribly insecure and should 
> not be used:
>
> https://tools.ietf.org/html/rfc8221#section-3
>
> Tuomo Soini t...@foobar.fi

Thanks for the info Tuomo,

Am I understanding correctly that Libreswan does -not- do NAT-T properly?  If 
so, is there some way to mitigate this?--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT and UDP

2017-12-28 Thread Tuomo Soini 
On Wed, 13 Dec 2017 12:44:55 -0500
Bill Shirley  wrote:

> I don't see that SSH tunneling or running IPSEC in a VM as a security
> gain.  It would be very complex with multiple points of failure.  If
> you don't trust the traffic from the other endpoint, filter it with
> Shorewall after it's decrypted.  After decryption a packet will
> traverse the Shorewall rules where you can DROP or REJECT if desired.
> 
> Also, with a IPSEC using manual keying, you don't even need
> LibreSwan.  Look at /usr/share/doc/initscripts/sysconfig.txt for
> IPSEC setup.

As one of the Libreswan authors I'd note it's "Libreswan" - no capital
letters in the middle of the name, please.

When suggesting manual keying, please note it is horribly insecure and
should not be used:

https://tools.ietf.org/html/rfc8221#section-3

-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT and UDP

2017-12-13 Thread cacook 
On 12/13/2017 09:44 AM, Bill Shirley wrote:
> I don't see that SSH tunneling or running IPSEC in a VM as a security
> gain.  It
> would be very complex with multiple points of failure.  If you don't
> trust the traffic
> from the other endpoint, filter it with Shorewall after it's
> decrypted.  After decryption
> a packet will traverse the Shorewall rules where you can DROP or
> REJECT if
> desired.
>
> Also, with a IPSEC using manual keying, you don't even need
> LibreSwan.  Look
> at /usr/share/doc/initscripts/sysconfig.txt for IPSEC setup.
>
> Bill


Bill, I do trust my laptop and remote LAN.  Point is, if I run the IPSec
left (server) on my router (the VM which provides outside access to the
LAN), if ne'er-do-wells compromise ipsec they will be inside my router. 
I don't want this.  If they compromise ipsec I want them to end up
inside a benign machine.

I just don't know how to tunnel UDP.

It's not a good idea to use ipsec with PSK anymore.  I'll be using
(self-genned) certs only.  RSA was compromised in 2014 (granted, NSA),
and Schnier say he doesn't trust EC because the curves NSA submitted to
NIST are related.




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT and UDP

2017-12-13 Thread cacook 
On 12/13/2017 08:55 AM, Tom Eastep wrote:

> On 12/13/2017 08:47 AM, cac...@quantum-sci.com wrote:
>> On 12/12/2017 03:22 PM, cac...@quantum-sci.com wrote:
>>> I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM)
>>>
>>> At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse
>>> SSH tunneled from another machine).
>>>
>>> Rather than flanging those ports directly to the outside interface in
>>> the router, I'm hoping for a little added protection by listening them
>>> on localhost, and then DNATing from the outside interface.
>>>
>>> - Does this give any added protection?
>>>
>>> - Does DNAT even work with UDP?  If not, what can I do?
>>>
>>> - Is there a better way?
>>>
>> Can anyone advise?
>>
>> I have many problems already, trying to get ipsec working.  Trying to
>> anticipate this one.
>>
> I believe it adds additional complexity with no benefit to security. But
> to answer your other question, UDP can be DNATted; that is why IPSEC Nat
> Traversal encapsulates the ESP packets in UDP (port 4500).
>
> -Tom
Ah, good to know.  I'd previously found that I can not encapsulate DNS
in a reverse SSH tunnel as SSH can not do UDP, so I wasn't sure whether
that also applies to DNAT.

But I now find that trying to reverse SSH tunnel my IPSec ports from the
left VM to the router, will not work for the same reason -- they are
both UDP. 

Is there a way to use Shorewall to get my ipsec ports from one KVM VM,
to another's outside interface?

I have a designated VM as ipsec server as, in case it's compromised, I'd
rather it be a minimal CentOS VM rather than my router.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT and UDP

2017-12-13 Thread Tom Eastep 
On 12/13/2017 08:47 AM, cac...@quantum-sci.com wrote:
> On 12/12/2017 03:22 PM, cac...@quantum-sci.com wrote:
>>
>> I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM)
>>
>> At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse
>> SSH tunneled from another machine).
>>
>> Rather than flanging those ports directly to the outside interface in
>> the router, I'm hoping for a little added protection by listening them
>> on localhost, and then DNATing from the outside interface.
>>
>> - Does this give any added protection?
>>
>> - Does DNAT even work with UDP?  If not, what can I do?
>>
>> - Is there a better way?
>>
> 
> Can anyone advise?
> 
> I have many problems already, trying to get ipsec working.  Trying to
> anticipate this one.
> 

I believe it adds additional complexity with no benefit to security. But
to answer your other question, UDP can be DNATted; that is why IPSEC Nat
Traversal encapsulates the ESP packets in UDP (port 4500).

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT and UDP

2017-12-13 Thread cacook 
On 12/12/2017 03:22 PM, cac...@quantum-sci.com wrote:
>
> I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM)
>
> At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse
> SSH tunneled from another machine).
>
> Rather than flanging those ports directly to the outside interface in
> the router, I'm hoping for a little added protection by listening them
> on localhost, and then DNATing from the outside interface.
>
> - Does this give any added protection?
>
> - Does DNAT even work with UDP?  If not, what can I do?
>
> - Is there a better way?
>

Can anyone advise?

I have many problems already, trying to get ipsec working.  Trying to
anticipate this one.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] DNAT and UDP

2017-12-12 Thread cacook 
I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM)

At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse SSH
tunneled from another machine).

Rather than flanging those ports directly to the outside interface in
the router, I'm hoping for a little added protection by listening them
on localhost, and then DNATing from the outside interface.

- Does this give any added protection?

- Does DNAT even work with UDP?  If not, what can I do?

- Is there a better way?



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users