[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Freeswan in Debian, or: Why I am such a bad maintainer

On Tue, 29 Jun 2004 09:27:21 +0100 (BST), "Daniel Pocock"
<daniel@pocock.com.au> wrote:
>Here is a very simple example:
>- the method works with manual keying or any IKE daemon
>- any packets from IPsec peers will be fully trusted and not be screened
>further by netfilter
>Step 1: Identify packets in mangle table
>iptables --table mangle -A PREROUTING -p esp -j MARK --set-mark 1
>Step 2: Allow packets in filter table
>iptables --table filter --insert INPUT --match mark --mark 1 -j ACCEPT

It is much more complicated than doing 

iptables --table filter --insert INPUT --in-int ipsec0 -j ACCEPT,

and I think it sucks. Oh, btw, please make sure that no packet with
source address from goes out on the tunnel while not
affecting any other processing of these packets, the equivalent of

iptables --table filter --insert OUTPUT --out-int ipsec0 --dst -j ACCEPT

I think you have just very effectively proven that packet filtering is
_MUCH_ easier if you have a virtual interface.

Marc, who has gotten rid of freeswan this morning

-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29

Reply to: