At Wed, Jan 21, 2004 at 04:44:20PM +0100, Marc Haber wrote: > On Wed, Jan 21, 2004 at 04:37:48PM +0100, Valentijn Sessink wrote: > > Yes you can. Re-read my post, and be creative. > That will work for incoming packets. And how do I protect myself > against configuration errors sending out unencrypted packets? I'd need > to put the mark on the packets for destination networks, which is > error prone. Why is that error prone? If your concern is putting out unencrypted packets to certain networks, you can just use -p esp. And yes: a firewall setup with IPsec *is* error prone. That's no different in FreeS/WAN, I think. It is no more or less complicated to say "-i ipsec0" or "-m mark --mark 1". Apart from that, I do not exactly understand your point. AFAIK, FreeS/WAN will only let you setup a tunnel or no tunnel, nothing in between. If you would want to send some traffic through the tunnel, you would need a whole lot of non-trivial policy routing rules. (But maybe I'm mistaken here). > The idea is nice, but it looks like an ugly hack. And it _is_ an ugly > hack. IPsec tunnel mode is an ugly hack? You might want to explain that to Bruce Scheier: http://www.schneier.com/paper-ipsec.html I wouldn't know what is ugly about marking packets to post-process them later. V. -- http://www.openoffice.nl/ Open Office - Linux Office Solutions Valentijn Sessink valentyn+sessink@xxxxxxxxxxxxxxxxxxxx
