Re: Freeswan in Debian, or: Why I am such a bad maintainer
- To: "Dominique Kaiser" <firstname.lastname@example.org>
- Cc: "Wichert Akkerman" <email@example.com>, "Lupe Christoph " <firstname.lastname@example.org>, "Marc Haber " <email@example.com>, "Rene Mayrhofer " <firstname.lastname@example.org>, "Bastian Blank " <email@example.com>, "Dominique Kaiser " <firstname.lastname@example.org>, "Giacomo Mulas " <email@example.com>, "Steven Augart " <firstname.lastname@example.org>, "Anthony DeRobertis " <email@example.com>, "Andrew Pimlott " <firstname.lastname@example.org>, email@example.com, "Alexander Hvostov " <firstname.lastname@example.org>, "Daniel Pocock " <email@example.com>, "Russell Stuart " <firstname.lastname@example.org>, email@example.com, "Christoph Martin " <firstname.lastname@example.org>, "Alexei Ustyuzhaninov " <email@example.com>, "Jason Spence " <firstname.lastname@example.org>, "Mike Fedyk " <email@example.com>, "Luca Fornasari " <firstname.lastname@example.org>, "Torsten Knodt " <email@example.com>, "Christian Perrier " <firstname.lastname@example.org>, "Luk Claes " <email@example.com>, firstname.lastname@example.org, "Nate Carlson" <email@example.com>
- Subject: Re: Freeswan in Debian, or: Why I am such a bad maintainer
- From: "Daniel Pocock" <firstname.lastname@example.org>
- Date: Tue, 29 Jun 2004 09:27:21 +0100 (BST)
- Message-id: <email@example.com>
- In-reply-to: <40E07B74.firstname.lastname@example.org>
- References: <40E00DDA.email@example.com> <20040628130629.GB9561@wiggy.net> <20040628142423.GO6752@torres.ka0.zugschlus.de> <20040628143046.GH9561@wiggy.net> <20040628165547.GT29463@lupe-christoph.de> <20040628193306.GN9561@wiggy.net> <40E07B74.firstname.lastname@example.org>
Here is a very simple example:
- the method works with manual keying or any IKE daemon
- any packets from IPsec peers will be fully trusted and not be screened
further by netfilter
Step 1: Identify packets in mangle table
iptables --table mangle -A PREROUTING -p esp -j MARK --set-mark 1
Step 2: Allow packets in filter table
iptables --table filter --insert INPUT --match mark --mark 1 -j ACCEPT
When packets traverse the PREROUTING chain of the 'mangle' table, they are
still encrypted. At this point, they can be marked. The firewall mark
remains with the packet even after the packet is decrypted. When it
reaches the INPUT (or possibly FORWARD) chain of the 'filter' table, the
packet still bears the mark.
This example assumes that you completely trust any packets from any hosts
you have chosen to accept IPsec packets from.
You could make the rules tighter to only allow IPsec packets from specific
hosts, networks or interfaces.
> And again we arrive at the lacking docu...
> - Why is it more flexible ?
> - How is it different ?
> - How would I do this "dummy interface" with 26 IPSEC and OpenSwan ?
> - Why doesn't OpenSwan do this by default when using 26 ?
> - How would I / Can I use tcpdump with this setup ?
> - Is this possible with a stock 2.6 kernel ?
> - and so on...
> ( I don't expect an answer here - I know some of the answers but not all..
> this is more to demonstrate what's missing in my opinion)
> - keep in mind that most people are NOT interested at all if some of
> the above is in the sole "problem domain" of OpenSwan, of 2.6 kernel
> or if it is a mixture of both - they want it to work smoothly and in an
> intuitive way.
> Just my two cents,
> Wichert Akkerman wrote:
>>Previously Lupe Christoph wrote:
>>>Such as having virtual interfaces to hang firewall rules from,
>>>preferably one per tunnel?
>>You should be able to do that using dummy interfaces. Just keep in
>>mind that ipsec is no longer done through an interface but via a
>>route transform, which is a very different and more flexible approach.