Re: 2.6 native IPsec implementation question
Date: Mon Nov 15 2004 - 11:48:38 EST
Jan Engelhardt wrote:
You "sit" on the network card chip and then think of input and output.No, it's not like you think.
Btw, -j DROP will only drop what has not been matched up to now. So if you get
to -j ACCEPT IPsec traffic beforehand (I think -m ah / -m esp, did not
it?), they will never reach -j DROP.
Situation is NOT EASY IF you have ONE VPN.
Just "close" eth0 for anything, allow AH,ESP,DNS from "any" IP addres,
then how you detect if tcp/389 is from VPN or form world ? You cant.
To make things harder - there are eth0, eth1, eth2 and eth3, two of them
has public IP addresses, two has private IP addresses, there is IPsec VPN
server running on both public addresses and a lot (32) of roadwarrior VPN
So, in this not easy situation firewalling is not possible.
But, how to implement firewall using iptables command is not my issue.
Lets assume that I just want to do "mrtg" traffic accounting....
So, my questions are still actual.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/