Re: 2.6 native IPsec implementation question

From: Jan Engelhardt
Date: Mon Nov 15 2004 - 10:07:04 EST



>These almost exactly are rules I want to implement.
>But, when you run tcpdump -nni eth0 you can see ESP traffic _and_ one
>direction of something going through IPsec.

I think that PF_PACKETs "bypass" the firewall. Don't count on that, though.
(It's because I still see incoming port attempts despite having a tight
-P DROP)

>Moreover "-i eth0 -j DROP" blocks IPsec traffic ... (or -o eth0 i don't
>remember direction)

You "sit" on the network card chip and then think of input and output.
Btw, -j DROP will only drop what has not been matched up to now. So if you get
to -j ACCEPT IPsec traffic beforehand (I think -m ah / -m esp, did not
it?), they will never reach -j DROP.



Jan Engelhardt
--
Gesellschaft fÃr Wissenschaftliche Datenverarbeitung
Am Fassberg, 37077 GÃttingen, www.gwdg.de
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/