I'm curious how I might do port-based filtering of IPsec packets with iptables. Presently, filtering IPsec-encrypted packets is an all-or-nothing proposition because iptables can't look inside an ESP section to get the port info. It can only filter ESP packets based on the SPI. Actually, I'm not even sure how I'd get iptables to do address-based filtering of IPsec packets. Why would I want this? Well, I might want to do opportunistic IPsec and allow arbitrary parties to interact with my host, but I still want to make sure that only selected services are made available. I noticed that a similar thing was asked over on the FreeBSD side of the world: http://www.bsdforums.org/forums/showthread.php?threadid=11725 Somehow, I don't expect the iptables solution to be quite so easy. -- Rick Kennell <kennell@xxxxxxxxxxxxxx> Purdue University Department of Electrical and Computer Engineering
