Re: IPSec - IPTables issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wednesday 05 May 2004 5:08 pm, John A. Sullivan III wrote:

> On Wed, 2004-05-05 at 11:22, Antony Stone wrote:
> > On Wednesday 05 May 2004 3:47 pm, Aleksandar Milivojevic wrote:
> > > Nico Schottelius wrote:
> > > >
> > > > Freeswan has virtual devices (ipsec*), through which the unencrypted
> > > > packets come into the system. So you can add these firewall lines:
> > > >
> > > > - allow AH, ESP, UDP/500, deny rest on eth0
> > > > - allow IPs/networks, etc. on ipsec0
> > >
> > > Haven't worked much with IPSec (at least not over firewall).  Are you
> > > sure that IPSec packets will go through Netfilter twice (once
> > > encrypted, and than once again unencrypted)?
> >
> > They do.   This makes it easy to filter the packet types you want to
> > allow through the tunnel, rather than having a VPN which passes just
> > everything.
>
> Please pardon my ignorance; I haven't yet played with 2.6 and the native
> IPSec.  So how does one distinguish packets which have arrived from an
> IPSec tunnel and are now re-traversing netfilter from those which have
> arrived unencrypted and are traversing netfilter for the first time?

That is a very good question, and one to which I am not aware of a good 
answer.   In my (extremely limited) experience of looking at IPsec in the 2.6 
kernels this is a major disadvantage of the design, and means it is not 
possible to secure a VPN (by which I mean selecting which traffic is allowed 
down it and which is not, as it was possible to do with FreeS/WAN by writing 
netfilter rules specifying ipsecN as the output interface).

> We would typically have a different set of access controls for data coming
> from a quasi-trusted tunnel versus data coming in from the Internet and
> historically differentiated by examining the interface (e.g., ipsec0
> versus eth0).

I agree.   If anyone knows a sensible way of achieving this with the new 2.6 
IPsec implementation, please share the knowledge :)

Regards,

Antony.

-- 
If you can't find an Open Source solution for it, then it isn't a real 
problem.

                                                     Please reply to the list;
                                                           please don't CC me.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux