On Wednesday 05 May 2004 3:47 pm, Aleksandar Milivojevic wrote:
> Nico Schottelius wrote:
> > I'll compare what freeswan did with what Linux 2.6 does now:
> >
> > Freeswan has virtual devices (ipsec*), through which the unencrypted
> > packets come into the system. So you can add these firewall lines:
> >
> > - allow AH, ESP, UDP/500, deny rest on eth0
> > - allow IPs/networks, etc. on ipsec0
>
> Haven't worked much with IPSec (at least not over firewall). Are you
> sure that IPSec packets will go through Netfilter twice (once encrypted,
> and than once again unencrypted)?
They do. This makes it easy to filter the packet types you want to allow
through the tunnel, rather than having a VPN which passes just everything.
> Anyhow, if I assume that what you wrote is correct (and it is how Linux
> kernel handles packets), I still don't see need for virtual devices.
That's the way FreeS/WAN does it.
Regards,
Antony.
--
"There has always been an underlying argument that we should open up our
source code more broadly. The fact is that we are learning from open source
and we are opening our code more broadly through Shared Source.
Is there value to providing source code? The answer is unequivocally yes."
- Jason Matusow, head of Microsoft's Shared Source Program, in response to
recent leaks of Windows source code on the Internet.
Please reply to the list;
please don't CC me.
