From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: netfilter@lists.netfilter.org
Subject: Re: IPSec - IPTables issues
Date: Wed, 05 May 2004 12:08:57 -0400 [thread overview]
Message-ID: <1083773336.9138.43.camel@localhost> (raw)
In-Reply-To: <200405051622.26944.Antony@Soft-Solutions.co.uk>
On Wed, 2004-05-05 at 11:22, Antony Stone wrote:
> On Wednesday 05 May 2004 3:47 pm, Aleksandar Milivojevic wrote:
>
> > Nico Schottelius wrote:
> > > I'll compare what freeswan did with what Linux 2.6 does now:
> > >
> > > Freeswan has virtual devices (ipsec*), through which the unencrypted
> > > packets come into the system. So you can add these firewall lines:
> > >
> > > - allow AH, ESP, UDP/500, deny rest on eth0
> > > - allow IPs/networks, etc. on ipsec0
> >
> > Haven't worked much with IPSec (at least not over firewall). Are you
> > sure that IPSec packets will go through Netfilter twice (once encrypted,
> > and than once again unencrypted)?
>
> They do. This makes it easy to filter the packet types you want to allow
> through the tunnel, rather than having a VPN which passes just everything.
Please pardon my ignorance; I haven't yet played with 2.6 and the native
IPSec. So how does one distinguish packets which have arrived from an
IPSec tunnel and are now re-traversing netfilter from those which have
arrived unencrypted and are traversing netfilter for the first time? We
would typically have a different set of access controls for data coming
from a quasi-trusted tunnel versus data coming in from the Internet and
historically differentiated by examining the interface (e.g., ipsec0
versus eth0).
>
> > Anyhow, if I assume that what you wrote is correct (and it is how Linux
> > kernel handles packets), I still don't see need for virtual devices.
>
> That's the way FreeS/WAN does it.
>
> Regards,
>
> Antony.
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
next prev parent reply other threads:[~2004-05-05 16:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20040502155538.GD515@schottelius.org>
[not found] ` <4096317F.8020609@eurodev.net>
2004-05-04 21:15 ` IPSec - IPTables issues Nico Schottelius
2004-05-05 5:28 ` Aidas Kasparas
2004-05-05 10:27 ` Patrick McHardy
2004-05-05 10:48 ` Alexander Samad
2004-05-05 14:47 ` Aleksandar Milivojevic
2004-05-05 15:01 ` Aleksandar Milivojevic
2004-05-05 15:22 ` Antony Stone
2004-05-05 16:08 ` John A. Sullivan III [this message]
2004-05-05 17:32 ` Antony Stone
2004-05-06 15:59 ` Aleksandar Milivojevic
2004-05-06 16:31 ` John A. Sullivan III
2004-05-05 16:12 ` Aleksandar Milivojevic
2004-05-05 17:29 ` Antony Stone
2004-05-05 19:07 ` Aleksandar Milivojevic
2004-05-06 0:21 ` Patrick Turley
2004-05-06 9:10 ` Wolfgang Walter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1083773336.9138.43.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox