Re: Freeswan in Debian, or: Why I am such a bad maintainer
- To: Wichert Akkerman <firstname.lastname@example.org>, Marc Haber <email@example.com>, Rene Mayrhofer <firstname.lastname@example.org>, Bastian Blank <email@example.com>, Dominique Kaiser <firstname.lastname@example.org>, Giacomo Mulas <email@example.com>, Steven Augart <firstname.lastname@example.org>, Anthony DeRobertis <email@example.com>, Andrew Pimlott <firstname.lastname@example.org>, email@example.com, Alexander Hvostov <firstname.lastname@example.org>, Daniel Pocock <email@example.com>, Russell Stuart <firstname.lastname@example.org>, email@example.com, Christoph Martin <firstname.lastname@example.org>, Alexei Ustyuzhaninov <alust@UralskyGSM.com>, Jason Spence <email@example.com>, Mike Fedyk <firstname.lastname@example.org>, Luca Fornasari <email@example.com>, Torsten Knodt <firstname.lastname@example.org>, Christian Perrier <email@example.com>, Luk Claes <firstname.lastname@example.org>, email@example.com, Nate Carlson <firstname.lastname@example.org>
- Subject: Re: Freeswan in Debian, or: Why I am such a bad maintainer
- From: email@example.com (Lupe Christoph)
- Date: Mon, 28 Jun 2004 18:55:47 +0200
- Message-id: <20040628165547.GT29463@lupe-christoph.de>
- In-reply-to: <20040628143046.GH9561@wiggy.net>
- References: <40E00DDA.firstname.lastname@example.org> <20040628130629.GB9561@wiggy.net> <20040628142423.GO6752@torres.ka0.zugschlus.de> <20040628143046.GH9561@wiggy.net>
On Monday, 2004-06-28 at 16:30:46 +0200, Wichert Akkerman wrote:
> As was already mentioned it isn't perfect yet; netfilter hooks are
> definitely one such area. It does however have a nice modern design
> and has the benefit of being the officialy blessed implementation on
> which all future development will be based, so expect things to improve
Such as having virtual interfaces to hang firewall rules from,
preferably one per tunnel? Please take into account that many helpful
tools like fwbuilder support either global rules or interface rules. If
you mean that netfilter will introduce yet another hook for rules, that
will mean that everybody will have to hand-craft the rules.
Which in turn means reduced security because large rulesets are hard to
handle without the help of a higher level tool.
Actually, I can't understand the resistance of the KAME people to
virtual interfaces. This lack has been discussed on freebsd-security for
years without any change in the implementation.
So I vote for KLIPS to stay until KAME sees the light...
PS: I've been running the openswan kernel patch and the userland tools
for a while now as a backport (made by myself) on Woody. Works like
a charm. But except for X.509 I don't use advanced magic...
PPS: Anybody working on a FreeBSD port of *SWAN? ;-)
| email@example.com | http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like |
| covering yourself with barbecue sauce and breaking into the Charity |
| Home for Badgers with Rabies. Michael Lucas |