Re: 2.6 native IPsec implementation question

From: Jan Engelhardt
Date: Mon Nov 15 2004 - 10:07:04 EST

>These almost exactly are rules I want to implement.
>But, when you run tcpdump -nni eth0 you can see ESP traffic _and_ one
>direction of something going through IPsec.

I think that PF_PACKETs "bypass" the firewall. Don't count on that, though.
(It's because I still see incoming port attempts despite having a tight

>Moreover "-i eth0 -j DROP" blocks IPsec traffic ... (or -o eth0 i don't
>remember direction)

You "sit" on the network card chip and then think of input and output.
Btw, -j DROP will only drop what has not been matched up to now. So if you get
to -j ACCEPT IPsec traffic beforehand (I think -m ah / -m esp, did not
it?), they will never reach -j DROP.

Jan Engelhardt
Gesellschaft fÃr Wissenschaftliche Datenverarbeitung
Am Fassberg, 37077 GÃttingen,
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at