On Sat, 17 Jan 2004 18:29:56 +0000, Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> wrote: >On Saturday 17 January 2004 5:47 pm, netfilter.lists.samba.org@xxxxxxxxxxxxx >wrote: >> Actually, not being able to filter traffic from an ipsec tunnel is a >> killer. Either for netfilter, or for kernel 2.6 ipsec. I suspect it >> will kill kernel 2.6 ipsec. Which is really bad since frees/wan >> positively sucks. > >What do you think is wrong with FreeS/WAN? FreeS/WAN is - as somebody else said very nicely - at war with the kernel routing machinery. It makes me sick to see two identical routing table entries, one pointing to the physical interface and one pointing to the logical interface, with some hidden magic favoring the ipsec0 route. FreeS/WAN is a kernel patch with a very strange applying mechanism which makes it hard but impossible to use any pre-fabricated patching framework. I have never been able to get the new module approach to run. FreeS/WAN needs to be tailored for each new kernel version which keeps the possibility of a new exploit being fixed, breaking FreeS/WAN, forcing me to choose between staying exploitable or living without my VPN connections until the FreeS/WAN project has adapted. The latest FreeS/WAN version I have successfully used is 1.99. Later versions insist on establishing a "default route" (manifested as one route for 0.0.0.0/1 and one for 128.0.0.0/1 which is one more proof of being at war with the normal routing mechanisms) which breaks the test boxes unencrypted network connection. The FreeS/WAN-Users mailing list is flooded with spam because the mailing list owners refuse to establish even the most trivial of spam prevention measure because they're afraid of handicapping free speech without realizing that a spam flooded mailing list is a bad handicap of free speech because nobody would use it. I hope that I made my point clear. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
