On Wed, 2004-05-05 at 11:22, Antony Stone wrote: > On Wednesday 05 May 2004 3:47 pm, Aleksandar Milivojevic wrote: > > > Nico Schottelius wrote: > > > I'll compare what freeswan did with what Linux 2.6 does now: > > > > > > Freeswan has virtual devices (ipsec*), through which the unencrypted > > > packets come into the system. So you can add these firewall lines: > > > > > > - allow AH, ESP, UDP/500, deny rest on eth0 > > > - allow IPs/networks, etc. on ipsec0 > > > > Haven't worked much with IPSec (at least not over firewall). Are you > > sure that IPSec packets will go through Netfilter twice (once encrypted, > > and than once again unencrypted)? > > They do. This makes it easy to filter the packet types you want to allow > through the tunnel, rather than having a VPN which passes just everything. Please pardon my ignorance; I haven't yet played with 2.6 and the native IPSec. So how does one distinguish packets which have arrived from an IPSec tunnel and are now re-traversing netfilter from those which have arrived unencrypted and are traversing netfilter for the first time? We would typically have a different set of access controls for data coming from a quasi-trusted tunnel versus data coming in from the Internet and historically differentiated by examining the interface (e.g., ipsec0 versus eth0). > > > Anyhow, if I assume that what you wrote is correct (and it is how Linux > > kernel handles packets), I still don't see need for virtual devices. > > That's the way FreeS/WAN does it. > > Regards, > > Antony. -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx
