Hi LARTC, hopefully this is the kind of question this list should be
suited for :)
I want to use the NETKEY IPsec stack and put the firewall in the same
machine running Openswan/Strongswan. I'm starting to look how it hooks
in the netfilter chain and any help (including links to
documentation/howtos) is appreciated.
Incoming packets are received encrypted in the physical interface and
then "magically" appear in decrypted form, so firewalling isn't as easy
as matching an ipsecX interface like with the KLIPS stack. I thought
about marking esp packets at first to be able to recognize them later in
decrypted form to do appropriate matching: is there any other way to do
it? I already use tons of marks and mark masks :(
The biggest issue is with outgoing packets, for some reason they seem to
appear only in encrypted form, so there is no way to do any kind of
matching... How to achieve firewalling for outgoing packets then?
Thanks,
Niccolò
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
