Re: 2.6 native IPsec implementation question

From: Blizbor
Date: Mon Nov 15 2004 - 11:48:38 EST

Next message: Ingo Molnar: "Re: [patch] Real-Time Preemption, -RT-2.6.10-rc1-mm3-V0.7.25-1"
Previous message: Adrian Bunk: "Re: [2.6 patch] SCSI: misc possible cleanups"
In reply to: Jan Engelhardt: "Re: 2.6 native IPsec implementation question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jan Engelhardt wrote:

You "sit" on the network card chip and then think of input and output.
Btw, -j DROP will only drop what has not been matched up to now. So if you get
to -j ACCEPT IPsec traffic beforehand (I think -m ah / -m esp, did not
it?), they will never reach -j DROP.

No, it's not like you think.

Situation is NOT EASY IF you have ONE VPN.
Just "close" eth0 for anything, allow AH,ESP,DNS from "any" IP addres,
then how you detect if tcp/389 is from VPN or form world ? You cant.
To make things harder - there are eth0, eth1, eth2 and eth3, two of them
has public IP addresses, two has private IP addresses, there is IPsec VPN
server running on both public addresses and a lot (32) of roadwarrior VPN
clients.

So, in this not easy situation firewalling is not possible.
Believe me.

But, how to implement firewall using iptables command is not my issue.
Lets assume that I just want to do "mrtg" traffic accounting....

So, my questions are still actual.

Regards,
Blizbor

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [patch] Real-Time Preemption, -RT-2.6.10-rc1-mm3-V0.7.25-1"
Previous message: Adrian Bunk: "Re: [2.6 patch] SCSI: misc possible cleanups"
In reply to: Jan Engelhardt: "Re: 2.6 native IPsec implementation question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]