# IPFW configuration when doing EtherIP tunnel



## BioZ (Jul 18, 2012)

Hi!

I would kindly ask you for some help/advice in configuring IPFW.

I have two VMs with FreeBSD 9.0 installed.
On each machine:
There are two interfaces, em0 and em1.
em0 has public IP address assigned (a.b.c.d), while em1 has none.
There is a tunnel interface gif0 created (with target IP e.f.g.h).
There is a bridge interface bridge0 with members em1 and gif0.
I'm configuring them via SSH from IP i.j.k.l.

I would like to secure each machine at their em0 ("public") interface regarding following rules:
- accept incoming and outgoing EtherIP frames between those two endpoints
- allow to connect to the machine via SSH and to ping (ICMP and ARP is needed I think), from one IP address
- allow to ping (ICMP and ARP is needed I think) from the machine
- deny any other traffic

As far as I understand EtherIP implementation in FreeBSD, packets incoming at em1 will be sent through gif0 like regular packets, but it will be visible at em0 as EtherIP packets, right?
If so, then I thought of commands like those:

```
ipfw -q add allow etherip from e.f.g.h to a.b.c.d in via em0 #incoming EtherIP
ipfw -q add allow etherip from a.b.c.d to e.f.g.h out via em0 #outgoing EtherIP
ipfw -q add allow all from i.j.k.l to a.b.c.d in via em0 #for SSH and ping for me
ipfw -q add allow icmp from any to any out via em0 #for pings
ipfw -q add allow icmp from any to any in via em0 #for pings
ipfw -q add deny all from any to any #if every rule didn't match, the packet is not allowed
```

Is that more or less alright?
I'm starting with FreeBSD (UNIX at all), also such firewall tools are new to me.

Thanks in advance.
Regards,
Tomasz


----------



## SirDice (Jul 18, 2012)

The gif(4) tunnel interface uses IP over IP. It cannot do Ethernet over IP.

What exactly are you trying to accomplish?


----------



## BioZ (Jul 18, 2012)

:|
It has been told to me that it would do the work as EtherIP (old but simple solution for tunneling ethernet frames over IP).

Exactly I want to secure the machines on their "public" side from unwanted traffic and unauthorized people when it's about ssh.

Regards.


----------



## BioZ (Jul 18, 2012)

Ah, I know where that information about EtherIP came from, bridge man page:


> The bridge can tunnel Ethernet across an IP internet using the EtherIP
> protocol.	This can be combined with ipsec(4) to provide an encrypted
> connection.  Create a gif(4) interface and set the local and remote IP
> addresses for the tunnel, these are reversed on the remote bridge.
> ...


----------



## SirDice (Jul 18, 2012)

BioZ said:
			
		

> Exactly I want to secure the machines on their "public" side from unwanted traffic and unauthorized people when it's about ssh.


You don't need EtherIP. At all. You don't need a bridge either.

Install something like security/sshguard or security/py-fail2ban.


----------



## BioZ (Jul 18, 2012)

Uh huh, sorry for being not precise.
For security I don't need EtherIP, you're right.
But I want to have EtherIP tunnel established between two machines regardless to this security issue.

I'll take a look at those two tools, thanks!

Regards.


----------



## SirDice (Jul 18, 2012)

BioZ said:
			
		

> But I want to have EtherIP tunnel established between two machines regardless to this security issue.


Why? Since they are both VMs why not put both machine's em1 in the same host-only network? That will allow you to communicate on layer 2 between them.


----------



## BioZ (Jul 18, 2012)

Let's say, for educational purposes . They are hosted on two different servers as well.

Regards.


----------



## SirDice (Jul 18, 2012)

The bit you copy/pasted from bridge(4) looks fairly straight forward.


----------



## BioZ (Jul 18, 2012)

So I think that everything is clear for both of us and we have reached EoT .
I will try to work with sshguard.

Thanks again.
Regards.


----------

