Re: Freeswan in Debian, or: Why I am such a bad maintainer
- To: "Daniel Pocock" <daniel@pocock.com.au>
- Cc: "Dominique Kaiser" <kaiser_d@gmx.net>, "Wichert Akkerman" <wichert@wiggy.net>, "Lupe Christoph " <lupe@lupe-christoph.de>, "Marc Haber " <mh+debian-devel@zugschlus.de>, "Rene Mayrhofer " <rene.mayrhofer@gibraltar.at>, "Bastian Blank " <waldi@debian.org>, "Dominique Kaiser " <dommi_s1@gmx.net>, "Giacomo Mulas " <gmulas@ca.astro.it>, "Steven Augart " <augart@watson.ibm.com>, "Anthony DeRobertis " <anthony@derobert.net>, "Andrew Pimlott " <pimlott@idiomtech.com>, herbert@gondor.apana.org.au, "Alexander Hvostov " <alex@aoi.dyndns.org>, "Daniel Pocock " <daniel@pocock.com.au>, "Russell Stuart " <russell-debian-bug@stuart.id.au>, dalhagen@tele-net.net, "Christoph Martin " <martin@uni-mainz.de>, "Alexei Ustyuzhaninov " <alust@uralskygsm.com>, "Jason Spence " <jspence@lightconsulting.com>, "Mike Fedyk " <mfedyk@matchmail.com>, "Luca Fornasari " <luca.fornasari@easybit.it>, "Torsten Knodt " <tk-debian@datas-world.de>, "Christian Perrier " <bubulle@debian.org>, "Luk Claes " <luk.claes@ugent.be>, debian-devel@lists.debian.org, "Nate Carlson" <natecars@natecarlson.com>
- Subject: Re: Freeswan in Debian, or: Why I am such a bad maintainer
- From: Marc Haber <mh+debian-devel@zugschlus.de>
- Date: Thu, 01 Jul 2004 01:02:05 +0200
- Message-id: <[🔎] E1Bfo5q-0002Ow-CF@torres.ka0.zugschlus.de>
- In-reply-to: <[🔎] 32861.213.228.220.45.1088497641.squirrel@secure.trendhosting.net>
- References: <[🔎] 40E00DDA.3040807@gibraltar.at> <[🔎] 20040628130629.GB9561@wiggy.net> <[🔎] 20040628142423.GO6752@torres.ka0.zugschlus.de> <[🔎] 20040628143046.GH9561@wiggy.net> <[🔎] 20040628165547.GT29463@lupe-christoph.de> <[🔎] 20040628193306.GN9561@wiggy.net> <[🔎] 40E07B74.6000106@gmx.net> <[🔎] 32861.213.228.220.45.1088497641.squirrel@secure.trendhosting.net>
On Tue, 29 Jun 2004 09:27:21 +0100 (BST), "Daniel Pocock"
<daniel@pocock.com.au> wrote:
>Here is a very simple example:
>- the method works with manual keying or any IKE daemon
>- any packets from IPsec peers will be fully trusted and not be screened
>further by netfilter
>
>Step 1: Identify packets in mangle table
>
>iptables --table mangle -A PREROUTING -p esp -j MARK --set-mark 1
>
>Step 2: Allow packets in filter table
>
>iptables --table filter --insert INPUT --match mark --mark 1 -j ACCEPT
It is much more complicated than doing
iptables --table filter --insert INPUT --in-int ipsec0 -j ACCEPT,
and I think it sucks. Oh, btw, please make sure that no packet with
source address from 192.168.130.0/24 goes out on the tunnel while not
affecting any other processing of these packets, the equivalent of
iptables --table filter --insert OUTPUT --out-int ipsec0 --dst
192.168.130.0/24 -j ACCEPT
I think you have just very effectively proven that packet filtering is
_MUCH_ easier if you have a virtual interface.
Greetings
Marc, who has gotten rid of freeswan this morning
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
Reply to: