[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Freeswan in Debian, or: Why I am such a bad maintainer

On Monday, 2004-06-28 at 16:30:46 +0200, Wichert Akkerman wrote:

> As was already mentioned it isn't perfect yet; netfilter hooks are
> definitely one such area. It does however have a nice modern design
> and has the benefit of being the officialy blessed implementation on
> which all future development will be based, so expect things to improve
> rapidly.

Such as having virtual interfaces to hang firewall rules from,
preferably one per tunnel? Please take into account that many helpful
tools like fwbuilder support either global rules or interface rules. If
you mean that netfilter will introduce yet another hook for rules, that
will mean that everybody will have to hand-craft the rules.

Which in turn means reduced security because large rulesets are hard to
handle without the help of a higher level tool.

Actually, I can't understand the resistance of the KAME people to
virtual interfaces. This lack has been discussed on freebsd-security for
years without any change in the implementation.

So I vote for KLIPS to stay until KAME sees the light...
Lupe Christoph

PS: I've been running the openswan kernel patch and the userland tools
    for a while now as a backport (made by myself) on Woody. Works like
    a charm. But except for X.509 I don't use advanced magic...
PPS: Anybody working on a FreeBSD port of *SWAN? ;-)
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like   |
| covering yourself with barbecue sauce and breaking into the Charity    |
| Home for Badgers with Rabies.                            Michael Lucas |

Reply to: