On 10/06/2014 03:08 PM, Eero Volotinen wrote:
2014-10-06 22:02 GMT+03:00 Steve Clark <sclark@xxxxxxxxxxxxx>:
On 10/06/2014 02:00 PM, Eero Volotinen wrote:
Hi List,
Is there easy way to get klips ipsec stack into centos 6? As it makes
firewalling ipsec traffic much easier..
Eero
Hi Eero,
If you are only concerned about firewalling incoming traffic why would you
need more than:
-A INPUT -p udp -s peerip/32 --sport 500 -d yourip/32 --dport 500 -j ACCEPT
-A INPUT -p esp -s peerip/32 -d yourip/32 -j ACCEPT
Also need to filter outgoing ipsec traffic and it's a bit complex on netkey
stack?
--
Hi Eero,
We are using ipsec-tools which is based on netkey. I am not sure I see the issue. Why wouldn't the
above rules work with those below:
-A OUTPUT -o ethx -p udp -s yourip/32 --sport 500 -d peerip/32 --dport 500 -j ACCEPT
-A OUTPUT -o ethx -p esp -s yourip/32 -d peerip/32 -j ACCEPT
If you only want the rules against a certain interface.
--
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark@xxxxxxxxxxxxx
http://www.netwolves.com
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
